Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

ID: T1011.001
Sub-technique of:  T1011
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 09 March 2020
Last Modified: 15 April 2025

Procedure Examples

ID Name Description
S0143 Flame

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.

M1028 Operating System Configuration

Prevent the creation of new network adapters where possible.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor commands enabling Bluetooth interfaces (rfkill unblock bluetooth, btmgmt power on), execution of Bluetooth file transfer utilities (bluetoothctl, l2ping, hcitool).

Analytic 1 - Detecting Bluetooth Activation Commands

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("rfkill unblock bluetooth", "bluetoothctl power on", "btmgmt power on", "hciconfig hci0 up"))| eval risk_score=case( command IN ("rfkill unblock bluetooth", "btmgmt power on"), 9, command IN ("bluetoothctl power on", "hciconfig hci0 up"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0022 File File Access

Monitor file access events in directories commonly used for data staging (/tmp, C:\Users\Public), files copied to Bluetooth shared folders, or high-volume file reads or writes before network activity.

Analytic 1 - Detecting File Access Before Bluetooth Exfiltration

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/var/tmp/", "/home//Downloads/", "/media/bluetooth/", "C:\Users\\Documents\exfil"))| eval risk_score=case( file_path IN ("/media/bluetooth/"), 9, file_path IN ("/var/tmp/*"), 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0029 Network Traffic Network Connection Creation

Monitor for unusual Bluetooth device pairings, inbound or outbound Bluetooth connections from unexpected processes, or unexpected activation of Bluetooth Personal Area Network (PAN) services.

Analytic 1 - Detecting Unauthorized Bluetooth Network Connections

(EventCode=3 OR EventCode=10400)OR (source="zeek_conn.log" interface IN ("bt0"))| eval risk_score=case( interface IN ("bt0"), 9, process_name IN ("bluetoothctl", "bttransfer"), 8)| where risk_score >= 8| stats count by _time, host, user, interface, dest_device, risk_score

Network Traffic Content

Monitor high-volume data transfers over Bluetooth, Bluetooth PAN being used to route exfiltrated data, or Unusual Bluetooth protocol usage on enterprise endpoints.

Analytic 1 - Detecting Large Data Exfiltration via Bluetooth

(EventCode=3)OR (source="zeek_conn.log" protocol="bluetooth" bytes_out > 5000000)OR (source="firewall_logs" protocol="bluetooth" bytes_out > 10000000)| eval risk_score=case( bytes_out > 10000000, 9, bytes_out > 5000000, 8)| where risk_score >= 8| stats count by _time, host, user, dest_device, bytes_out, risk_score

Network Traffic Flow

Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

References