Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0213: Analytic 0213

Use of `rfkill`, `nmcli`, or low-level tools (e.g., `iw`, `hcitool`, `pppd`) to enable alternate interfaces followed by data transfer via non-primary NICs.

EnterpriseAN0213AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to Linux systems using alternate network interfaces—such as wireless, Bluetooth, cellular/PPP, or other non-primary NIC paths—to move data outside the expected network route. For leaders, the risk is not just command execution; it is loss of visibility and control when a host can bypass monitored gateways, segmentation, or approved egress paths.

Executive priority

Prioritize this where Linux systems support sensitive operations, regulated data, production access, or locations where secondary interfaces could bypass normal monitoring. Security leaders should ask whether asset standards prohibit or control unused radios and NICs, whether SOC telemetry can prove which interface carried traffic, and whether incident responders can quickly determine if data left through an unexpected path. This is also useful audit evidence for network control, data protection, and configuration governance programs.

Technical view

The supplied ATT&CK analytic is Linux-focused and describes use of `rfkill`, `nmcli`, or lower-level tools such as `iw`, `hcitool`, and `pppd` to enable alternate interfaces followed by data transfer over non-primary NICs. SOC and detection teams should validate visibility into process execution for those tools, network-interface state changes, and traffic attribution by interface. Because no official detection logic or ATT&CK relationship context is supplied, teams should treat this as a detection-design prompt rather than a complete rule.

Likely telemetry

  • Linux process execution telemetry showing use of `rfkill`, `nmcli`, `iw`, `hcitool`, `pppd`, or related network-management utilities
  • Network interface inventory and state-change logs, including newly enabled, re-enabled, or previously disabled interfaces
  • Host network connection telemetry that can identify the local interface, source address, destination, volume, and timing
  • Network flow or packet metadata from monitored segments to compare expected primary NIC traffic against host-reported activity
  • Configuration management or endpoint inventory data showing approved NICs, radios, Bluetooth, wireless, modem, or PPP capabilities

Detection direction

  • Correlate execution of interface-control utilities with subsequent outbound data transfer from a non-primary interface or unexpected source address.
  • Baseline legitimate administrative and network-management activity to reduce false positives from troubleshooting, provisioning, mobility, or approved wireless/cellular use.
  • Alert with higher priority when alternate-interface activation occurs on servers, production Linux systems, privileged workstations, or hosts expected to use only wired or managed network paths.
  • Validate whether telemetry records the interface used for traffic; many environments collect process and network events but cannot reliably connect transfer activity to a specific NIC.
  • Look for gaps where endpoint logging is disabled, NetworkManager activity is not centrally collected, Bluetooth/wireless events are not monitored, or traffic over out-of-band links bypasses perimeter sensors.

Mitigation priorities

  • Define which Linux assets are allowed to have secondary network interfaces, radios, Bluetooth, cellular, or PPP capability, and document exceptions.
  • Disable or remove unused interfaces and services where operationally feasible, especially on sensitive or fixed-purpose systems.
  • Restrict administrative ability to enable interfaces or change network configuration to approved users and managed processes.
  • Ensure endpoint and network monitoring can capture interface state changes, relevant utility execution, and traffic attribution by interface.
  • Use incident response playbooks that include checking for alternate NIC use when investigating suspected data transfer or monitoring bypass.
Analyst notes and limits

The object is a detection analytic, not a full ATT&CK technique entry. Its value is in prompting validation of whether Linux hosts can activate alternate interfaces and transfer data through paths that may not be covered by normal network controls. Local asset roles, approved interface use, and available telemetry are essential to determine severity and tune detection.

No official detection logic, tactics, relationships, procedure examples, mitigations, or attribution context were supplied. This take is limited to the official description, platform, external reference, and object metadata. It should not be interpreted as evidence of active exploitation or guaranteed detectability in any environment.

Official MITRE ATT&CK definition

Analytic 0213

Use of `rfkill`, `nmcli`, or low-level tools (e.g., `iw`, `hcitool`, `pppd`) to enable alternate interfaces followed by data transfer via non-primary NICs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
abf0dbc3c1807e54...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle abf0dbc3c180…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0213
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use