Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0554: Detection of Bluetooth-Based Data Exfiltration

This detection strategy matters because it points to a less-common exfiltration path: data leaving an environment over Bluetooth instead of the normal ente...

EnterpriseDET0554Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points to a less-common exfiltration path: data leaving an environment over Bluetooth instead of the normal enterprise network. The related ATT&CK technique, Exfiltration Over Bluetooth, highlights a business blind spot: controls focused on internet, proxy, firewall, or EDR network telemetry may not see short-range wireless transfer, especially when an attacker has access and physical proximity.

Executive priority

Treat this as a coverage-validation topic for sensitive endpoints and locations, not as evidence of a specific active threat. Leaders should ask whether Bluetooth use is business-required on Linux, macOS, and Windows systems that handle regulated, confidential, or operationally critical data; whether policy is enforceable; and whether SOC and incident response teams can produce evidence of Bluetooth pairing, connection, and file-transfer activity when investigating data loss.

Technical view

The supplied detection strategy object has no official detection text or platforms of its own. Its only provided context is that it detects T1011.001, Exfiltration Over Bluetooth, under the exfiltration tactic, with related platforms Linux, macOS, and Windows. SOC and detection teams should therefore validate local visibility into Bluetooth adapter state, device discovery and pairing, connection events, file-transfer services, endpoint process activity associated with wireless transfer, and physical-proximity context where available. Incident responders should include Bluetooth configuration and paired-device review in endpoint triage for suspected exfiltration cases where network egress logs do not explain data movement.

Likely telemetry

  • Endpoint operating system logs showing Bluetooth enablement, adapter state, discovery, pairing, trust, and connection events
  • Endpoint inventory or configuration data showing whether Bluetooth hardware is present and enabled
  • File access and file movement telemetry on systems handling sensitive data
  • Process execution telemetry for utilities or services involved in Bluetooth communication or file transfer
  • Device-control or endpoint management policy evidence showing Bluetooth allowed, blocked, or exception status

Detection direction

  • Start with asset scoping: identify Linux, macOS, and Windows endpoints where Bluetooth is enabled and where sensitive data is accessible.
  • Validate whether Bluetooth pairing and connection events are centrally collected; many network-centric SOC pipelines will not capture this path.
  • Tune detections around unusual Bluetooth enablement, new or unrecognized paired devices, file-transfer activity, or Bluetooth use on systems where the business has no approved need.
  • Correlate Bluetooth activity with sensitive file access, compression, staging, removable media activity, and user session context to reduce false positives.
  • Account for legitimate peripherals such as keyboards, mice, headsets, and approved mobile workflows; detection should distinguish routine accessory use from data-transfer-capable behavior where telemetry permits.

Mitigation priorities

  • Define where Bluetooth is required versus prohibited, prioritizing endpoints with sensitive, regulated, or operationally critical data.
  • Disable or restrict Bluetooth on systems without a business need using endpoint management or device-control policy where available.
  • Require documented exceptions for approved Bluetooth use and make those exceptions available to SOC and audit teams.
  • Ensure endpoint logging and response procedures include Bluetooth pairing, connection, and file-transfer review.
  • Test incident response playbooks for suspected data exfiltration scenarios where standard network egress telemetry is incomplete or silent.
Analyst notes and limits

The ATT&CK detection strategy record is sparse: no official description, official detection logic, tactics, or platforms are provided for the strategy itself. The practical guidance above is derived from the single supplied relationship to T1011.001, whose description explains Bluetooth-based exfiltration as an alternative to the command-and-control channel when access and proximity exist.

This take does not assert active exploitation, actor use, customer exposure, or guaranteed detection. Local operating system logging, endpoint management controls, Bluetooth hardware presence, approved business workflows, and physical access assumptions must be validated in the environment before prioritizing engineering work.

Official MITRE ATT&CK definition

Detection of Bluetooth-Based Data Exfiltration

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1011.001 Exfiltration Over Bluetooth Sub-technique This object detects Exfiltration Over Bluetooth.
Relationship explorer

All related ATT&CK context

detects · Technique T1011.001: Exfiltration Over Bluetooth Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9aad8163c4b0cdf1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9aad8163c4b0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0554
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use