Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides protection from Exfiltration Over Other Network Medium through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1011 | Exfiltration Over Other Network Medium | |
| SC-43 | Usage Restrictions | mitigates | T1011 | Exfiltration Over Other Network Medium | |
| AC-18 | Wireless Access | mitigates | T1011 | Exfiltration Over Other Network Medium | |
| CM-07 | Least Functionality | mitigates | T1011 | Exfiltration Over Other Network Medium | |
| SI-04 | System Monitoring | mitigates | T1011 | Exfiltration Over Other Network Medium |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1011 | Exfiltration Over Other Network Medium | |
| attribute.confidentiality.data_disclosure | None | related-to | T1011 | Exfiltration Over Other Network Medium |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1011 | Exfiltration Over Other Network Medium |
Comments
Google SecOps is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over other network mediums.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/suspicious
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1011.001 | Exfiltration Over Bluetooth | 13 |