AN1531: Analytic 1531
Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity.
Analyst context for executives and security teams
AN1531 is a Windows-focused detection analytic for suspicious, non-interactive processes that access Bluetooth interfaces and then send outbound traffic after file access or staging activity. Its business value is in validating whether the organization can see unusual use of local wireless interfaces combined with potential data movement signals, rather than treating Bluetooth only as an endpoint configuration issue.
Executive priority
Prioritize this analytic where Windows endpoints may handle sensitive files or operate in environments where wireless interfaces create policy, audit, or operational risk. Leaders should ask whether SOC teams have evidence to distinguish normal Bluetooth use from suspicious process behavior, whether outbound traffic after file staging is monitored, and whether endpoint and network telemetry can be correlated during an incident.
Technical view
For SOC, detection engineering, and IR teams, AN1531 points to correlation across Windows process activity, Bluetooth interface access, file access or staging, and subsequent outbound network traffic. Because ATT&CK provides no formal detection logic, teams should validate data availability and build environment-specific baselines for legitimate Bluetooth-related processes and user-driven activity versus non-interactive or unusual process access.
Likely telemetry
- Windows process creation and process lineage telemetry
- Endpoint events showing access to Bluetooth interfaces or related device APIs/drivers where available
- File access, file creation, or staging activity on Windows endpoints
- Outbound network connection telemetry from endpoint or network sensors
- User session context to distinguish interactive from non-interactive process activity
Detection direction
- Confirm whether Windows endpoint telemetry can identify processes interacting with Bluetooth interfaces; this may be a blind spot in many standard logging configurations.
- Correlate Bluetooth interface access with recent file access or staging and outbound network traffic rather than alerting on Bluetooth use alone.
- Baseline expected Bluetooth-related processes, services, and user-driven activity to reduce false positives from legitimate peripherals and device-management workflows.
- Review process lineage and user context for non-interactive execution, service accounts, scheduled tasks, or unexpected parent processes.
- Because no ATT&CK detection logic or relationships are supplied, tune locally and document assumptions as detection engineering evidence.
Mitigation priorities
- Inventory where Bluetooth is enabled on Windows systems and align usage with business need and policy.
- Restrict or disable Bluetooth on systems where it is not required, especially endpoints handling sensitive files or critical operations.
- Ensure endpoint monitoring captures process, file, device-interface, and outbound network activity needed to support this analytic.
- Use least privilege and application control where appropriate to reduce unexpected process access to device interfaces.
- Include Bluetooth-related endpoint behavior in IR triage playbooks and compliance evidence where wireless interface control is in scope.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. It is limited to Windows and describes a behavioral pattern involving suspicious or non-interactive process access to Bluetooth interfaces, file access or staging, and outbound traffic. No tactics, relationships, aliases, or official detection logic were supplied.
Assessment is constrained to the supplied ATT&CK fields and external reference. There is no official detection query, no related technique context, and no evidence of active exploitation, attribution, impact, or guaranteed detectability. Local telemetry, endpoint configuration, and business use of Bluetooth are required to determine coverage and priority.
Analytic 1531
Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 892eda70b2c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1531Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.