T1011: Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

EnterpriseT1011TechniqueObject v1.2 Modified Oct 24, 2025, 17:48 UTC (UTC+00:00)

This technique matters because data theft may bypass the network path an organization normally monitors. If command and control uses the enterprise wired Internet connection, an adversary with enough access or proximity may try to move data out through WiFi, modem, cellular, Bluetooth, or another RF channel that is less secured or not routed through enterprise defenses.

Executive priority

Leaders should treat this as a coverage and governance question, not only a malware question: do asset standards, OS configuration baselines, and SOC monitoring account for alternate network interfaces on Linux, macOS, and Windows systems? The business risk is that exfiltration evidence may be missing if monitoring is concentrated only on primary Internet egress points. This is especially relevant for incident response readiness, audit evidence around endpoint hardening, and environments where wireless or removable communications paths are present.

Technical view

For SOC, detection engineering, and IR teams, validate whether endpoints can use alternate network media while also connected to the enterprise network. ATT&CK provides no official detection text for T1011, but the related detection strategy DET0077 points to detecting exfiltration over alternate network interfaces. Practical validation should compare expected network paths against observed interface availability and data movement over WiFi, modem, cellular, Bluetooth, or RF-capable channels where those are present. Focus on Linux, macOS, and Windows endpoint visibility, because those are the supported platforms for this technique.

Likely telemetry

Endpoint network interface inventory and state changes for Linux, macOS, and Windows systems
Connection metadata showing use of WiFi, modem, cellular, Bluetooth, or other RF-capable channels where available
Endpoint configuration evidence showing whether unused communications features are enabled or disabled
Network egress records from primary enterprise paths to identify gaps where traffic would not be routed through normal controls
Incident response artifacts that show concurrent or unexpected use of alternate interfaces during suspected exfiltration

Detection direction

Validate whether DET0077-style coverage exists for exfiltration over alternate network interfaces rather than only standard enterprise Internet egress.
Tune detections around unexpected interface activation or data transfer on non-primary network media, with environment-specific allowlists for legitimate wireless, cellular, Bluetooth, or modem use.
Check for blind spots where alternate media are not logged, not centrally monitored, or not routed through normal enterprise controls.
During investigations, ask whether suspected data movement could have occurred outside the command-and-control channel and outside normal network telemetry.

Mitigation priorities

Prioritize OS configuration hardening consistent with M1028 to reduce unnecessary exposure from enabled network and communications features.
Disable or remove unnecessary features, programs, or services consistent with M1042, especially where alternate network media are not required for business operations.
Maintain endpoint standards that define which network interfaces are permitted on Linux, macOS, and Windows systems.
Use compliance and configuration evidence to prove that unused communications paths are disabled or controlled, rather than assuming perimeter monitoring is sufficient.

Analyst notes and limits

The material decision point is whether the organization can see and control data movement over network media other than the primary command-and-control or enterprise Internet path. This technique is most relevant where endpoints have alternate connectivity options or where adversary proximity could make wireless or RF channels practical.

The ATT&CK object does not provide official detection guidance, procedure examples, attribution, impact claims, or evidence of active exploitation. Local endpoint inventory, interface configuration, and telemetry availability are required to determine exposure and detection coverage.

Official MITRE ATT&CK definition

Exfiltration Over Other Network Medium

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1011.001	Exfiltration Over Bluetooth Sub-technique	Exfiltration Over Bluetooth subtechnique of this object.

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1011.001: Exfiltration Over Bluetooth Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise detects · Detection Strategy DET0077: Detection of Exfiltration Over Alternate Network Interfaces Enterprise

Mitigations

Mitigation direction

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 31, 2017, 21:30 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: c230d6c93af2c6da...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`c230d6c93af2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack T1011
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use