Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0077: Detection of Exfiltration Over Alternate Network Interfaces

This detection strategy matters because it points to data leaving through a network path that may sit outside normal monitoring, such as Wi-Fi, cellular, m...

EnterpriseDET0077Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points to data leaving through a network path that may sit outside normal monitoring, such as Wi-Fi, cellular, modem, Bluetooth, or other RF channels, while command and control uses a different connection. For leaders, the key issue is not just exfiltration; it is whether the organization can see and govern alternate network interfaces well enough to prove that sensitive data cannot bypass primary network controls.

Executive priority

Prioritize this as a visibility and control validation question for exfiltration resilience. Ask whether managed detection, endpoint monitoring, network architecture, and incident response playbooks account for secondary or unmanaged network media. This is especially relevant to audit evidence and risk ownership where business processes rely on laptops, workstations, or systems that may have multiple network interfaces. Because the ATT&CK detection object has no official detection text, decisions should be based on local exposure, asset classes, and whether alternate interfaces are allowed, monitored, or disabled.

Technical view

The supplied relationship says DET0077 detects T1011, Exfiltration Over Other Network Medium, under the exfiltration tactic, with the related technique applying to Linux, macOS, and Windows. SOC and detection engineering teams should validate whether telemetry can show interface changes, concurrent network paths, unexpected wireless or cellular usage, and data movement over non-primary media. Incident responders should treat unexplained alternate-interface activity on systems handling sensitive data as a scoping lead, not as proof of exfiltration by itself.

Likely telemetry

  • Endpoint network interface inventory and state changes
  • Operating system logs for wireless, Bluetooth, modem, cellular, or other adapter activation
  • Endpoint network connection metadata by interface where available
  • Network flow or proxy records from monitored interfaces
  • Data transfer volume and destination patterns associated with non-primary network paths

Detection direction

  • Validate whether current detections distinguish traffic by network interface or only by host/IP after routing.
  • Look for systems using alternate or newly enabled interfaces, especially where the primary command-and-control or business network path differs from the data transfer path.
  • Tune for environmental context: legitimate mobile broadband, Bluetooth peripherals, corporate Wi-Fi, lab networks, and travel use can create false positives.
  • Identify blind spots where unmanaged Wi-Fi, cellular hotspots, modem links, Bluetooth, or RF paths are not logged by central network controls.
  • Use the relationship to T1011 to frame alerts as possible exfiltration behavior, but require corroborating evidence such as unusual data volume, sensitive host role, destination context, or policy violation.

Mitigation priorities

  • Establish policy and inventory for permitted network interfaces and alternate network media on endpoints and sensitive systems.
  • Disable or restrict unnecessary wireless, modem, cellular, Bluetooth, or other alternate interfaces where business requirements allow.
  • Ensure endpoint telemetry and asset management can report adapter presence, activation, and connection state.
  • Route approved alternate connectivity through monitored and governed paths when feasible.
  • Update incident response procedures to check for non-primary network paths during suspected data exfiltration investigations.
Analyst notes and limits

The object is a detection strategy with no official MITRE description or detection text provided. The practical interpretation comes from its relationship to T1011, Exfiltration Over Other Network Medium. Treat this as a prompt to test telemetry coverage and control assumptions around alternate interfaces rather than as a ready-made analytic.

Platforms and tactics are not specified on the detection strategy itself. Linux, macOS, Windows, and the exfiltration tactic are supported only through the related T1011 technique. No claims are made about active exploitation, specific adversaries, detection efficacy, or customer exposure.

Official MITRE ATT&CK definition

Detection of Exfiltration Over Alternate Network Interfaces

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1011 Exfiltration Over Other Network Medium This object detects Exfiltration Over Other Network Medium.
Relationship explorer

All related ATT&CK context

detects · Technique T1011: Exfiltration Over Other Network Medium Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0495cdb06dd34548...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0495cdb06dd3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0077
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use