Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
| ID | Name | Description |
|---|---|---|
| S0143 | Flame |
Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
| M1028 | Operating System Configuration |
Prevent the creation of new network adapters where possible. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0029 | Network Traffic | Network Connection Creation |
| Network Traffic Content | ||
| Network Traffic Flow |
Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.
Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.