T1011

Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network monitoring infrastructure. This technique is commonly associated with insider threat scenarios and advanced adversaries who have achieved a foothold and seek to bypass perimeter DLP controls that monitor only the primary wired egress channel.

Microsoft Sentinel / Defender

kusto

let WirelessHotspotPatterns = dynamic([
  "hostednetwork", "start hostednetwork", "mode=allow", "mode=disallow",
  "mobile hotspot", "set hostednetwork"
]);
let WirelessDiscoveryPatterns = dynamic([
  "show interface", "show networks", "show profiles",
  "show wlanreport", "show hostednetwork", "show drivers"
]);
let BluetoothTransferBinaries = dynamic([
  "fsquirt.exe", "bttray.exe"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe"
]);
// Branch 1: netsh wlan commands for hotspot creation or wireless interface manipulation
let NetshWlanBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "wlan" or ProcessCommandLine has_any (WirelessHotspotPatterns)
| extend DetectionBranch = "NetshWlanConfig"
| extend IsHotspotCreation = ProcessCommandLine has_any (["hostednetwork", "mode=allow", "start hostednetwork"])
| extend IsWirelessDiscovery = ProcessCommandLine has_any (WirelessDiscoveryPatterns);
// Branch 2: Bluetooth file transfer wizard and tray utilities
let BluetoothTransferBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (BluetoothTransferBinaries)
| extend DetectionBranch = "BluetoothFileTransfer"
| extend IsHotspotCreation = false
| extend IsWirelessDiscovery = false;
// Branch 3: PowerShell manipulating wireless or Bluetooth adapters — higher-fidelity if spawned from suspicious parent
let PSWirelessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ([
    "Bluetooth", "WiFi", "WLAN", "MobileBroadband",
    "NetAdapter", "New-WiFiProfile", "Get-NetAdapter",
    "Set-NetConnectionProfile", "Add-VpnConnection",
    "SoftAP", "HostedNetwork"
  ])
| where InitiatingProcessFileName has_any (SuspiciousParents)
    or ProcessCommandLine has_any (["-enc", "-EncodedCommand", "Compress-Archive", "DownloadFile", "exfil"])
| extend DetectionBranch = "PSWirelessManipulation"
| extend IsHotspotCreation = ProcessCommandLine has_any (["HostedNetwork", "SoftAP", "hotspot"])
| extend IsWirelessDiscovery = ProcessCommandLine has_any (["Get-NetAdapter", "Get-WiFiProfile", "show"]);
union NetshWlanBranch, BluetoothTransferBranch, PSWirelessBranch
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, IsHotspotCreation, IsWirelessDiscovery
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running netsh wlan commands to diagnose wireless connectivity issues or manage corporate wireless profiles
Help desk staff using netsh wlan show commands for network troubleshooting on user endpoints
MDM/EMM agents (Microsoft Intune, SCCM/MECM) deploying or updating wireless configuration profiles via PowerShell
End users legitimately transferring personal files to Bluetooth peripherals (headphones, phones) via fsquirt.exe
Network assessment or inventory tools querying wireless adapter status and available SSIDs

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval Image_lc=lower(Image)
| eval CmdLine_lc=lower(CommandLine)
| eval IsNetshWlan=if(match(Image_lc, "netsh\.exe") AND (match(CmdLine_lc, "wlan") OR match(CmdLine_lc, "hostednetwork") OR match(CmdLine_lc, "mobile\s*hotspot")), 1, 0)
| eval IsBluetoothTool=if(match(Image_lc, "(fsquirt\.exe|bttray\.exe)"), 1, 0)
| eval IsPSWirelessManip=if(match(Image_lc, "(powershell\.exe|pwsh\.exe)") AND match(CmdLine_lc, "(bluetooth|wlan|wifi|netadapter|get-netadapter|new-wifiprofile|mobilebroadband|set-netconnectionprofile|softap|hostednetwork)"), 1, 0)
| eval IsHotspotCreation=if(match(CmdLine_lc, "(hostednetwork|start\s+hostednetwork|mode=allow|softap)"), 1, 0)
| eval SuspicionScore=IsNetshWlan + IsBluetoothTool + IsPSWirelessManip + IsHotspotCreation
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsNetshWlan, IsBluetoothTool, IsPSWirelessManip, IsHotspotCreation, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators running netsh wlan commands to diagnose wireless connectivity issues or manage corporate wireless profiles
Help desk staff using netsh wlan show commands for network troubleshooting on user endpoints
MDM/EMM agents (Microsoft Intune, SCCM/MECM) deploying or updating wireless configuration profiles via PowerShell
End users legitimately transferring personal files to Bluetooth peripherals (headphones, phones) via fsquirt.exe
Network assessment or inventory tools querying wireless adapter status and available SSIDs

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  filename AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Path" AS ParentProcess,
  CASE
    WHEN LOWER(filename) LIKE '%netsh.exe%'
      AND (LOWER("Command") LIKE '%wlan%'
        OR LOWER("Command") LIKE '%hostednetwork%'
        OR LOWER("Command") LIKE '%mode=allow%'
        OR LOWER("Command") LIKE '%mode=disallow%'
        OR LOWER("Command") LIKE '%mobile hotspot%')
      THEN 'NetshWlanConfig'
    WHEN LOWER(filename) LIKE '%fsquirt.exe%'
      OR LOWER(filename) LIKE '%bttray.exe%'
      THEN 'BluetoothFileTransfer'
    WHEN (LOWER(filename) LIKE '%powershell.exe%' OR LOWER(filename) LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%bluetooth%'
        OR LOWER("Command") LIKE '%wlan%'
        OR LOWER("Command") LIKE '%wifi%'
        OR LOWER("Command") LIKE '%hostednetwork%'
        OR LOWER("Command") LIKE '%softap%'
        OR LOWER("Command") LIKE '%netadapter%'
        OR LOWER("Command") LIKE '%mobilebroadband%')
      THEN 'PSWirelessManipulation'
    ELSE 'Unknown'
  END AS DetectionBranch,
  CASE
    WHEN LOWER("Command") LIKE '%hostednetwork%'
      OR LOWER("Command") LIKE '%mode=allow%'
      OR LOWER("Command") LIKE '%softap%'
    THEN TRUE ELSE FALSE
  END AS IsHotspotCreation
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 382)
  AND (
    (
      LOWER(filename) LIKE '%netsh.exe%' AND (
        LOWER("Command") LIKE '%wlan%' OR
        LOWER("Command") LIKE '%hostednetwork%' OR
        LOWER("Command") LIKE '%mode=allow%' OR
        LOWER("Command") LIKE '%mode=disallow%' OR
        LOWER("Command") LIKE '%mobile hotspot%'
      )
    ) OR
    LOWER(filename) LIKE '%fsquirt.exe%' OR
    LOWER(filename) LIKE '%bttray.exe%' OR
    (
      (LOWER(filename) LIKE '%powershell.exe%' OR LOWER(filename) LIKE '%pwsh.exe%')
      AND (
        LOWER("Command") LIKE '%bluetooth%' OR
        LOWER("Command") LIKE '%wlan%' OR
        LOWER("Command") LIKE '%wifi%' OR
        LOWER("Command") LIKE '%hostednetwork%' OR
        LOWER("Command") LIKE '%softap%' OR
        LOWER("Command") LIKE '%netadapter%' OR
        LOWER("Command") LIKE '%mobilebroadband%'
      )
    )
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Security Event Log DSM (LOGSOURCETYPEID 12) Microsoft Sysmon DSM (LOGSOURCETYPEID 382)

Required Tables

events

False Positives

Network operations teams executing scheduled netsh wlan diagnostics or running configuration scripts to provision wireless interfaces during infrastructure rollouts
End users or helpdesk staff initiating Bluetooth file transfers via fsquirt.exe or bttray.exe as part of documented peripheral setup or same-desk data-move workflows
Automated endpoint management or asset discovery platforms issuing PowerShell Get-NetAdapter or Set-NetConnectionProfile commands during nightly compliance and inventory sweeps

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventID = 1 OR EventID = 4688
| eval image_lc = toLowerCase(Image)
| eval cmdline_lc = toLowerCase(CommandLine)
| where (
    image_lc matches /netsh\.exe/ AND (
      cmdline_lc contains "wlan" OR
      cmdline_lc contains "hostednetwork" OR
      cmdline_lc contains "mode=allow" OR
      cmdline_lc contains "mode=disallow" OR
      cmdline_lc contains "mobile hotspot"
    )
  )
  OR image_lc matches /fsquirt\.exe|bttray\.exe/
  OR (
    image_lc matches /powershell\.exe|pwsh\.exe/ AND (
      cmdline_lc contains "bluetooth" OR
      cmdline_lc contains "wlan" OR
      cmdline_lc contains "wifi" OR
      cmdline_lc contains "hostednetwork" OR
      cmdline_lc contains "softap" OR
      cmdline_lc contains "netadapter" OR
      cmdline_lc contains "mobilebroadband" OR
      cmdline_lc contains "new-wifiprofile" OR
      cmdline_lc contains "get-netadapter" OR
      cmdline_lc contains "set-netconnectionprofile"
    )
  )
| eval DetectionBranch = if(image_lc matches /netsh\.exe/, "NetshWlanConfig",
    if(image_lc matches /fsquirt\.exe|bttray\.exe/, "BluetoothFileTransfer",
       "PSWirelessManipulation"))
| eval IsHotspotCreation = if(
    cmdline_lc contains "hostednetwork" OR
    cmdline_lc contains "mode=allow" OR
    cmdline_lc contains "softap",
    "true", "false")
| eval IsWirelessDiscovery = if(
    cmdline_lc contains "show interface" OR
    cmdline_lc contains "show networks" OR
    cmdline_lc contains "show profiles" OR
    cmdline_lc contains "show hostednetwork" OR
    cmdline_lc contains "get-netadapter",
    "true", "false")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, DetectionBranch, IsHotspotCreation, IsWirelessDiscovery
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Windows Event Log Source (Sysmon EventID 1) Sumo Logic Windows Event Log Source (Security EventID 4688) Winlogbeat Universal Forwarder

Required Tables

Windows Security Logs (_sourceCategory=*Windows*) Sysmon Operational Logs (_sourceCategory=*sysmon*)

False Positives

Sysadmins running netsh wlan set hostednetwork or netsh wlan show drivers for legitimate wireless diagnostics, AP provisioning, or infrastructure audits
End users or support staff invoking fsquirt.exe or bttray.exe during Bluetooth pairing for authorized peripheral setup workflows such as headset or keyboard onboarding
Enterprise software distribution tools or remote monitoring agents using PowerShell to run Get-NetAdapter or Set-NetConnectionProfile during patch-window compliance or hardware enumeration jobs

Google Chronicle / SecOps

yaral

rule t1011_exfil_other_network_medium {
  meta:
    author = "Detection Engineering"
    description = "Detects T1011 - Exfiltration Over Other Network Medium via wireless hotspot creation, Bluetooth file transfer utilities, or PowerShell wireless adapter manipulation from suspicious parent processes"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1011"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "IT admin netsh diagnostics, legitimate Bluetooth transfers, MDM or endpoint tooling using wireless PowerShell cmdlets"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)wlan`) or
          re.regex($e.target.process.command_line, `(?i)hostednetwork`) or
          re.regex($e.target.process.command_line, `(?i)mode=(allow|disallow)`) or
          re.regex($e.target.process.command_line, `(?i)mobile.hotspot`)
        )
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(fsquirt|bttray)\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(bluetooth|wlan|wifi|netadapter|get-netadapter|new-wifiprofile|hostednetwork|softap|mobilebroadband|set-netconnectionprofile)`) and
        (
          re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|schtasks)\.exe$`) or
          re.regex($e.target.process.command_line, `(?i)(-enc|-EncodedCommand|Compress-Archive|DownloadFile|exfil)`)
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM - Windows endpoint telemetry via Chronicle Forwarder Chronicle Ingestion: Microsoft Windows Event Logs (EventID 4688) Chronicle Ingestion: Sysmon via Chronicle Forwarder (EventID 1)

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

IT administrators executing netsh wlan set or show commands during wireless infrastructure provisioning, troubleshooting runbooks, or post-imaging network validation scripts
Bluetooth peripheral onboarding workflows that invoke fsquirt.exe or bttray.exe as part of standard OS-level driver installation or device pairing initiated by IT or end users
Enterprise endpoint management suites such as SCCM, Intune, or Tanium invoking PowerShell to query Get-NetAdapter or Set-NetConnectionProfile state during scheduled compliance checks or hardware discovery cycles

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| IsNetshWlan := if(
    FileName = /netsh\.exe/i
    AND CommandLine = /wlan|hostednetwork|mode=allow|mode=disallow|mobile.hotspot/i,
    1, 0)
| IsBluetoothTool := if(
    FileName = /fsquirt\.exe|bttray\.exe/i,
    1, 0)
| IsPSWireless := if(
    FileName = /powershell\.exe|pwsh\.exe/i
    AND CommandLine = /bluetooth|wlan|wifi|netadapter|get-netadapter|new-wifiprofile|hostednetwork|softap|mobilebroadband|set-netconnectionprofile/i
    AND (
      ParentBaseFileName = /cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe/i
      OR CommandLine = /-enc|-EncodedCommand|Compress-Archive|DownloadFile|exfil/i
    ),
    1, 0)
| SuspicionScore := IsNetshWlan + IsBluetoothTool + IsPSWireless
| SuspicionScore > 0
| DetectionBranch := case {
    IsNetshWlan = 1 : "NetshWlanConfig";
    IsBluetoothTool = 1 : "BluetoothFileTransfer";
    IsPSWireless = 1 : "PSWirelessManipulation";
    * : "Other"
  }
| IsHotspotCreation := if(
    CommandLine = /hostednetwork|mode=allow|softap/i,
    "true", "false")
| IsWirelessDiscovery := if(
    CommandLine = /show.interface|show.networks|show.profiles|show.hostednetwork|get-netadapter/i,
    "true", "false")
| table(
    [timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, DetectionBranch, IsHotspotCreation,
     IsWirelessDiscovery, SuspicionScore],
    sortby=timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) - ProcessRollup2 event stream Falcon Insight EDR endpoint telemetry

Required Tables

ProcessRollup2

False Positives

Network operations staff running documented netsh wlan diagnostics, troubleshooting wireless interface state, or scripting hosted-network setup for guest Wi-Fi provisioning in office environments
IT helpdesk or end users launching fsquirt.exe or bttray.exe during approved Bluetooth file transfer workflows for device onboarding, peripheral firmware updates, or cross-device document sharing
Endpoint management platforms, patch orchestration tools, or security agents spawning PowerShell to enumerate or reconfigure network adapters during change-window automation or asset discovery scans

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exfiltration Over Other Network Medium

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Exfiltration

Popular Detections