Execution of file transfer or network access activity through non-primary interfaces (e.g., WiFi, Bluetooth, cellular) by processes not typically associated with such behavior (e.g., rundll32, powershell, regsvr32).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Content (DC0085) | WinEventLog:System | EventCode=5005 (WLAN), EventCode=302 (Bluetooth) |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| InterfaceType | Filter for specific interface categories (e.g., WiFi, Bluetooth, 4G). |
| FileSizeThreshold | Tunable for environment-specific large file access events pre-transfer. |
| TimeWindow | Temporal correlation window for file read followed by network activity. |
Use of rfkill, nmcli, or low-level tools (e.g., iw, hcitool, pppd) to enable alternate interfaces followed by data transfer via non-primary NICs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | None |
| Network Traffic Flow (DC0078) | NSM:Flow | None |
| Field | Description |
|---|---|
| CommandPattern | Match known interface manipulation utilities or driver invocations. |
| NetworkDevice | Tunable to non-default or rarely used interfaces (e.g., wlan1, hci0). |
AppleScript or system calls to activate WiFi/Bluetooth interfaces (networksetup, blueutil), followed by exfiltration via AirDrop, cloud sync, or network socket.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | None |
| Process Creation (DC0032) | macos:osquery | process_events |
| Host Status (DC0018) | macos:osquery | interface_details |
| Field | Description |
|---|---|
| Protocol | Protocol used for exfil (e.g., AirDrop, mDNS, Apple File Service). |
| InterfaceActivityWindow | Time period between interface activation and transfer. |