Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| CM-08 | System Component Inventory | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| SI-03 | Malicious Code Protection | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| AC-18 | Wireless Access | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| CM-02 | Baseline Configuration | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| CM-07 | Least Functionality | mitigates | T1011.001 | Exfiltration Over Bluetooth | |
| SI-04 | System Monitoring | mitigates | T1011.001 | Exfiltration Over Bluetooth |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1011.001 | Exfiltration Over Bluetooth | |
| attribute.confidentiality.data_disclosure | None | related-to | T1011.001 | Exfiltration Over Bluetooth |