Skip to content

T1011.001 Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Item Value
ID T1011.001
Sub-techniques T1011.001
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.1
Created 09 March 2020
Last Modified 08 March 2022

Procedure Examples

ID Name Description
S0143 Flame Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.1

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.
M1028 Operating System Configuration Prevent the creation of new network adapters where possible.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Connection Creation

References

  1. Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.