Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

ID: T1011.001
Sub-technique of:  T1011
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 09 March 2020
Last Modified: 08 March 2022

Procedure Examples

ID Name Description
S0143 Flame

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.

M1028 Operating System Configuration

Prevent the creation of new network adapters where possible.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

DS0022 File File Access

Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

References