T1011.001: Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

EnterpriseT1011.001Sub-techniqueObject v1.2 Modified Oct 24, 2025, 17:48 UTC (UTC+00:00)

Exfiltration Over Bluetooth matters because it moves data outside the normal enterprise network path. If an adversary has local access and physical proximity, Bluetooth can become a bypass around perimeter logging, proxy controls, and network egress monitoring that leaders often rely on as evidence of data-loss coverage.

Executive priority

Treat this as a control-assurance issue for endpoints that can access sensitive data and have Bluetooth enabled. The business question is not only whether internet egress is monitored, but whether alternate local communication channels are governed, logged, and disabled where unnecessary. This is most relevant to operational resilience, insider/nearby-device risk, incident scoping, and audit evidence for endpoint hardening on Linux, macOS, and Windows systems.

Technical view

ATT&CK provides no official detection text for T1011.001, but the object is related to DET0554, Detection of Bluetooth-Based Data Exfiltration. SOC and IR teams should validate whether endpoint telemetry can show Bluetooth adapter state, pairing activity, connection events, file-transfer activity, and unusual data movement to paired devices. Detection engineering should prioritize systems with sensitive data access and compare Bluetooth activity against expected business use. Because this is a sub-technique of Exfiltration Over Other Network Medium, teams should avoid assuming network egress tools alone cover the behavior.

Likely telemetry

Endpoint operating system configuration state for Bluetooth enablement on Linux, macOS, and Windows
Bluetooth pairing, connection, and device trust events where available
Endpoint file access and file-transfer evidence associated with Bluetooth-capable workflows
Asset inventory identifying systems where Bluetooth is enabled or required
Incident response collection from endpoints when network logs do not explain suspected data loss

Detection direction

Validate whether DET0554-style Bluetooth exfiltration detection is implementable with currently collected endpoint telemetry.
Tune for unauthorized or unusual Bluetooth use on systems handling sensitive data rather than alerting on all Bluetooth activity.
Correlate Bluetooth events with file access, compression, staging, or removable/local transfer indicators when available.
Document blind spots where Bluetooth events are not logged, retained, or centrally collected.
Account for legitimate peripherals and approved business use to reduce false positives.

Mitigation priorities

Use Operating System Configuration to harden Bluetooth settings on Linux, macOS, and Windows endpoints.
Disable or remove Bluetooth functionality where it is not required for business operations.
Apply stricter configuration baselines to endpoints with access to sensitive data.
Maintain asset and exception records so compliance and IR teams can distinguish approved Bluetooth use from unknown exposure.
Review endpoint hardening evidence periodically because network security controls may not observe this channel.

Analyst notes and limits

The supplied ATT&CK relationships include mitigations M1028 and M1042, a detection strategy relationship to DET0554, a parent technique T1011, and a software relationship showing Flame uses this technique. The Flame relationship should be treated as ATT&CK context, not as evidence of current activity in any environment.

MITRE does not provide official detection text for this object. Bluetooth monitoring capabilities vary by operating system, endpoint configuration, and telemetry collection. Local asset context, approved peripheral use, and data sensitivity are required to determine priority and detection quality.

Official MITRE ATT&CK definition

Exfiltration Over Bluetooth

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1011	Exfiltration Over Other Network Medium	This object subtechnique of Exfiltration Over Other Network Medium.

Associated objects

Groups, software, and campaigns

S0143: Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

Windows

Relationship explorer

All related ATT&CK context

uses · Malware S0143: Flame Enterprise subtechnique of · Technique T1011: Exfiltration Over Other Network Medium Enterprise detects · Detection Strategy DET0554: Detection of Bluetooth-Based Data Exfiltration Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise

Mitigations

Mitigation direction

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Mar 9, 2020, 17:07 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: 60d43b77ce248e09...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`60d43b77ce24…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack T1011.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use