Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

ID: T1011
Sub-techniques:  T1011.001
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Contributors: Itzik Kotler, SafeBreach
Version: 1.2
Created: 31 May 2017
Last Modified: 15 April 2025

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment.

M1028 Operating System Configuration

Prevent the creation of new network adapters where possible.[1][2]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor commands that enable alternate network interfaces (WiFi, Bluetooth, cellular), execution of utilities such as nmcli, netsh, or iwconfig that modify network settings, or unusual command-line activity related to USB tethering or VPN activation.

Analytic 1 - Detecting Alternate Network Activation Commands

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("nmcli radio wifi on", "rfkill unblock all", "netsh wlan connect", "ifconfig wlan0 up", "pppd call"))| eval risk_score=case( command IN ("nmcli radio wifi on", "netsh wlan connect"), 9, command IN ("rfkill unblock all", "ifconfig wlan0 up"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0022 File File Access

Monitor for access to sensitive files before potential exfiltration, files being staged in locations accessible to alternate networks, or usage of USB storage, external disks, or wireless file transfer.

Analytic 1 - Detecting File Access Before Alternate Network Exfiltration

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/media/usb/", "/mnt/usb/", "/var/tmp/exfil/", "C:\Users\\Documents\exfil"))| eval risk_score=case( file_path IN ("/media/usb/", "/mnt/usb/"), 9, file_path IN ("/var/tmp/exfil/*"), 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that may attempt to exfiltrate data over a different network medium than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. The below analytic is using an event ID from OSQuery.

Analytic 1 - Detecting Exfiltration via Alternate Network Connections

(EventCode=3 OR EventCode=10400)OR (source="zeek_conn.log" interface IN ("wlan0", "ppp0", "bt0", "usb0"))| eval risk_score=case( interface IN ("wlan0", "usb0"), 9, interface IN ("ppp0", "bt0"), 8)| where risk_score >= 8| stats count by _time, host, user, interface, dest_ip, risk_score

Network Traffic Content

Monitor high-volume data transfers over secondary network connections, outbound SSH/SFTP connections over unauthorized networks, or anomalous encryption methods used for data exfiltration.

Analytic 1 - Detecting Large Data Exfiltration via Alternate Network

(EventCode=3)OR (source="zeek_conn.log" dest_port IN (22, 443, 53) AND bytes_out > 5000000)OR (source="firewall_logs" bytes_out > 10000000)| eval risk_score=case( bytes_out > 10000000, 9, bytes_out > 5000000, 8)| where risk_score >= 8| stats count by _time, host, user, dest_ip, dest_port, bytes_out, risk_score

Network Traffic Flow

Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

References