Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
| ID | Name | Description |
|---|---|---|
| S0143 | Flame |
Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
| M1028 | Operating System Configuration |
Prevent the creation of new network adapters where possible. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0554 | Detection of Bluetooth-Based Data Exfiltration | AN1531 |
Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity. |
| AN1532 |
Use of hcitool, bluetoothctl, or rfcomm to initialize Bluetooth connection paired with recent file reads by the same user or session. |
||
| AN1533 |
Observation of |