T1011.001: Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of events related to processes allowing data exfiltration over Bluetooth, such as BlueDispatcher.exe.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0022	Data source and component	File: File Access	Description	Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	Data source and component	Description
DS0022	File: File Access	Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

ID	M1028	Name	Operating System Configuration	Description	Prevent the creation of new network adapters where possible.

ID	M1042	Name	Disable or Remove Feature or Program	Description	Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.

ID	Name	Description
M1028	Operating System Configuration	Prevent the creation of new network adapters where possible.
M1042	Disable or Remove Feature or Program	Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.