| ID | Name |
|---|---|
| T1011.001 | Exfiltration Over Bluetooth |
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment. |
| M1028 | Operating System Configuration |
Prevent the creation of new network adapters where possible.[1][2] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to exfiltrate data over a different network medium than the command and control channel |
| DS0022 | File | File Access |
Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that may attempt to exfiltrate data over a different network medium than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. The below analytic is using an event ID from OSQuery. |
| Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
| Network Traffic Flow |
Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols. |