Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:System | EventCode=8001 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Defines how quickly a file access and Bluetooth activity must occur to be correlated. |
| InterfaceType | May focus on Bluetooth-specific interfaces or drivers like 'bthport.sys'. |
| FileSizeThreshold | Tune to trigger only on significant exfiltratable file reads. |
Use of hcitool, bluetoothctl, or rfcomm to initialize Bluetooth connection paired with recent file reads by the same user or session.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | None |
| Network Connection Creation (DC0082) | linux:syslog | None |
| File Access (DC0055) | linux:osquery | None |
| Field | Description |
|---|---|
| BluetoothUtility | List of CLI tools to monitor (e.g., hcitool, rfcomm, obexftp). |
| SessionWindow | Amount of time after interface config a file must be accessed to be linked. |
Observation of blueutil/networksetup commands or low-level APIs toggling Bluetooth or initiating transfers, especially if paired with recent large file read activity by non-GUI processes.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | None |
| Network Connection Creation (DC0082) | macos:osquery | None |
| File Access (DC0055) | macos:osquery | None |
| Field | Description |
|---|---|
| ProcessContext | Limit to background processes or scripts with no GUI interaction. |
| PayloadType | Focus on specific sensitive file types (e.g., zip, docx, keychain db). |