DET0077 Detection of Exfiltration Over Alternate Network Interfaces
| Item |
Value |
| ID |
DET0077 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1011 (Exfiltration Over Other Network Medium)
Analytics
Windows
AN0212
Execution of file transfer or network access activity through non-primary interfaces (e.g., WiFi, Bluetooth, cellular) by processes not typically associated with such behavior (e.g., rundll32, powershell, regsvr32).
Log Sources
Mutable Elements
| Field |
Description |
| InterfaceType |
Filter for specific interface categories (e.g., WiFi, Bluetooth, 4G). |
| FileSizeThreshold |
Tunable for environment-specific large file access events pre-transfer. |
| TimeWindow |
Temporal correlation window for file read followed by network activity. |
Linux
AN0213
Use of rfkill, nmcli, or low-level tools (e.g., iw, hcitool, pppd) to enable alternate interfaces followed by data transfer via non-primary NICs.
Log Sources
Mutable Elements
| Field |
Description |
| CommandPattern |
Match known interface manipulation utilities or driver invocations. |
| NetworkDevice |
Tunable to non-default or rarely used interfaces (e.g., wlan1, hci0). |
macOS
AN0214
AppleScript or system calls to activate WiFi/Bluetooth interfaces (networksetup, blueutil), followed by exfiltration via AirDrop, cloud sync, or network socket.
Log Sources
Mutable Elements
| Field |
Description |
| Protocol |
Protocol used for exfil (e.g., AirDrop, mDNS, Apple File Service). |
| InterfaceActivityWindow |
Time period between interface activation and transfer. |