1. Home
  2. ATT&CK Techniques
  3. T1011 Exfiltration Over Other Network Medium

T1011 Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1011 Exfiltration Over Other Network Medium
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1011 Exfiltration Over Other Network Medium
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1011 Exfiltration Over Other Network Medium
      Comments
      This diagnostic statement provides protection from Exfiltration Over Other Network Medium through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CM-06 Configuration Settings mitigates T1011 Exfiltration Over Other Network Medium
        SC-43 Usage Restrictions mitigates T1011 Exfiltration Over Other Network Medium
        AC-18 Wireless Access mitigates T1011 Exfiltration Over Other Network Medium
        CM-07 Least Functionality mitigates T1011 Exfiltration Over Other Network Medium
        SI-04 System Monitoring mitigates T1011 Exfiltration Over Other Network Medium

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.malware.variety.Export data Export data to another site or system related-to T1011 Exfiltration Over Other Network Medium
        attribute.confidentiality.data_disclosure None related-to T1011 Exfiltration Over Other Network Medium

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        google_secops Google Security Operations technique_scores T1011 Exfiltration Over Other Network Medium
        Comments
        Google SecOps is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over other network mediums. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/suspicious
        References
        1. ['https://cloud.google.com/security/products/security-operations'
        2. 'https://github.com/chronicle/detection-rules']

        M365 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        DEF-SECA-E3 Security Alerts Technique Scores T1011 Exfiltration Over Other Network Medium
        Comments
        Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
        References
        1. https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts

        ATT&CK Subtechniques

        Technique ID Technique Name Number of Mappings
        T1011.001 Exfiltration Over Bluetooth 13