DET0554 Detection of Bluetooth-Based Data Exfiltration
| Item |
Value |
| ID |
DET0554 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1011.001 (Exfiltration Over Bluetooth)
Analytics
Windows
AN1531
Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Defines how quickly a file access and Bluetooth activity must occur to be correlated. |
| InterfaceType |
May focus on Bluetooth-specific interfaces or drivers like ‘bthport.sys’. |
| FileSizeThreshold |
Tune to trigger only on significant exfiltratable file reads. |
Linux
AN1532
Use of hcitool, bluetoothctl, or rfcomm to initialize Bluetooth connection paired with recent file reads by the same user or session.
Log Sources
Mutable Elements
| Field |
Description |
| BluetoothUtility |
List of CLI tools to monitor (e.g., hcitool, rfcomm, obexftp). |
| SessionWindow |
Amount of time after interface config a file must be accessed to be linked. |
macOS
AN1533
Observation of blueutil/networksetup commands or low-level APIs toggling Bluetooth or initiating transfers, especially if paired with recent large file read activity by non-GUI processes.
Log Sources
Mutable Elements
| Field |
Description |
| ProcessContext |
Limit to background processes or scripts with no GUI interaction. |
| PayloadType |
Focus on specific sensitive file types (e.g., zip, docx, keychain db). |