Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
ID | Name | Description |
---|---|---|
S0143 | Flame |
Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1] |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
M1028 | Operating System Configuration |
Prevent the creation of new network adapters where possible. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor commands enabling Bluetooth interfaces (rfkill unblock bluetooth, btmgmt power on), execution of Bluetooth file transfer utilities (bluetoothctl, l2ping, hcitool). Analytic 1 - Detecting Bluetooth Activation Commands
|
DS0022 | File | File Access |
Monitor file access events in directories commonly used for data staging (/tmp, C:\Users\Public), files copied to Bluetooth shared folders, or high-volume file reads or writes before network activity. Analytic 1 - Detecting File Access Before Bluetooth Exfiltration
|
DS0029 | Network Traffic | Network Connection Creation |
Monitor for unusual Bluetooth device pairings, inbound or outbound Bluetooth connections from unexpected processes, or unexpected activation of Bluetooth Personal Area Network (PAN) services. Analytic 1 - Detecting Unauthorized Bluetooth Network Connections
|
Network Traffic Content |
Monitor high-volume data transfers over Bluetooth, Bluetooth PAN being used to route exfiltrated data, or Unusual Bluetooth protocol usage on enterprise endpoints. Analytic 1 - Detecting Large Data Exfiltration via Bluetooth
|
||
Network Traffic Flow |
Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols. |