Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Exfiltration Over Other Network Medium

Exfiltration could occur over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

ID: T1011

Tactic: Exfiltration

Platform:  Linux, macOS, Windows

Data Sources:  User interface, Process monitoring

Requires Network:  Yes

Contributors:  Itzik Kotler, SafeBreach

Version: 1.0

Examples

NameDescription
Flame

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1]

Mitigation

Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. [2] [3]

Detection

Processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a mouse click or key press) but access the network without such may be malicious.

Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

References