Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

ID: T1011.001
Sub-technique of:  T1011
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Data Sources: Process monitoring, User interface
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

Name Description
Flame

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.

Operating System Configuration

Prevent the creation of new network adapters where possible.

Detection

Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.

Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

References