Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SC-43 | Usage Restrictions | Protects | T1011 | Exfiltration Over Other Network Medium | |
| AC-18 | Wireless Access | Protects | T1011 | Exfiltration Over Other Network Medium | |
| CM-06 | Configuration Settings | Protects | T1011 | Exfiltration Over Other Network Medium | |
| CM-07 | Least Functionality | Protects | T1011 | Exfiltration Over Other Network Medium | |
| SI-04 | System Monitoring | Protects | T1011 | Exfiltration Over Other Network Medium | |
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1011 | Exfiltration Over Other Network Medium |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1011.001 | Exfiltration Over Bluetooth | 8 |