T1011.001

Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. Real-world examples include the Flame malware's BeetleJuice module, which transmitted encoded data over Bluetooth and acted as a Bluetooth beacon to identify nearby Bluetooth-enabled devices.

Microsoft Sentinel / Defender

kusto

let BluetoothTools = dynamic([
  "btattach", "btmgmt", "hciconfig", "hcitool", "hcidump", "bluetoothctl",
  "sdptool", "rfcomm", "obexftp", "obexd", "bluetooth-sendto",
  "fsquirt", "btvstack", "fsquirt.exe"
]);
let BluetoothCmdPatterns = dynamic([
  "bluetooth", "rfcomm", "obex", "btooth", "hci", "btspp",
  "00:00:00", "bt-adapter", "bluetoothd"
]);
let SuspiciousParents = dynamic([
  "python.exe", "python3", "perl", "ruby", "bash", "sh", "cmd.exe",
  "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"
]);
// Detect Bluetooth utility process launches
let BluetoothProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (BluetoothTools)
   or ProcessCommandLine has_any (BluetoothCmdPatterns)
| extend DetectionType = "Bluetooth Tool Execution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detect Bluetooth-related registry changes on Windows (Bluetooth adapter enable/disable or pairing)
let BluetoothRegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("Bluetooth", "BTHPORT", "BTHENUM", "BthLE", "RFCOMM", "OBEX")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionType = "Bluetooth Registry Modification"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detect file operations targeting Bluetooth stack or suspicious staging near Bluetooth access
let BluetoothFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where (FolderPath has_any ("bluetooth", "btooth", "rfcomm", "obex"))
   or (FileName has_any ("bluetooth", "rfcomm", "obex") and ActionType == "FileCreated")
| extend DetectionType = "Bluetooth-Related File Activity"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all detection types
BluetoothProcesses
| union BluetoothRegistry
| union BluetoothFiles
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

IT administrators using Bluetooth utilities for device pairing, diagnostics, or inventory on managed endpoints
Developers building Bluetooth applications testing functionality on their workstations
Windows built-in Bluetooth file transfer wizard (fsquirt.exe) used by employees for legitimate personal file transfers between devices
Bluetooth speakers, headsets, or peripherals being managed via system utilities on user workstations

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| where EventCode IN ("1", "11", "12", "13", 1, 11, 12, 13, 4688, 4657)
(
  [search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\fsquirt.exe"
   OR Image="*\\btattach"
   OR Image="*\\btmgmt"
   OR Image="*\\hciconfig"
   OR Image="*\\hcitool"
   OR Image="*\\hcidump"
   OR Image="*\\bluetoothctl"
   OR Image="*\\rfcomm"
   OR Image="*\\obexftp"
   OR Image="*\\sdptool"
   OR CommandLine="*bluetooth*"
   OR CommandLine="*rfcomm*"
   OR CommandLine="*obex*"
   OR CommandLine="*hcitool*"
   OR CommandLine="*hciconfig*"
   OR CommandLine="*btmgmt*"
   OR CommandLine="*bluetoothctl*")
  | eval DetectionType="Bluetooth Tool Execution"]
)
OR
(
  [search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
   (TargetObject="*Bluetooth*"
   OR TargetObject="*BTHPORT*"
   OR TargetObject="*BTHENUM*"
   OR TargetObject="*BthLE*"
   OR TargetObject="*RFCOMM*")
  | eval DetectionType="Bluetooth Registry Modification"]
)
OR
(
  [search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   (TargetFilename="*bluetooth*"
   OR TargetFilename="*rfcomm*"
   OR TargetFilename="*obex*"
   OR TargetFilename="*btooth*")
  | eval DetectionType="Bluetooth File Activity"]
)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, CommandLine)
| eval User=coalesce(User, SubjectUserName)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetObject, TargetFilename, DetectionType
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators using Bluetooth utilities for device pairing, diagnostics, or inventory on managed endpoints
Developers building Bluetooth applications testing functionality on their workstations
Windows built-in Bluetooth file transfer wizard (fsquirt.exe) used by employees for legitimate personal file transfers
Bluetooth peripheral management tools (headset software, mouse/keyboard pairing utilities) running in background

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("btattach", "btmgmt", "hciconfig", "hcitool", "hcidump", "bluetoothctl",
                        "sdptool", "rfcomm", "obexftp", "obexd", "bluetooth-sendto", "fsquirt.exe") or
      process.command_line like~ "*bluetooth*" or
      process.command_line like~ "*rfcomm*" or
      process.command_line like~ "*obex*" or
      process.command_line like~ "*hcitool*" or
      process.command_line like~ "*hciconfig*" or
      process.command_line like~ "*btmgmt*" or
      process.command_line like~ "*bluetoothctl*" or
      process.command_line like~ "*bt-adapter*"
    )
  ) or
  (
    event.category == "registry" and event.type in ("creation", "change") and
    (
      registry.path like~ "*Bluetooth*" or
      registry.path like~ "*BTHPORT*" or
      registry.path like~ "*BTHENUM*" or
      registry.path like~ "*BthLE*" or
      registry.path like~ "*RFCOMM*" or
      registry.path like~ "*OBEX*"
    )
  ) or
  (
    event.category == "file" and event.type == "creation" and
    (
      file.path like~ "*bluetooth*" or
      file.path like~ "*rfcomm*" or
      file.path like~ "*obex*" or
      file.path like~ "*btooth*" or
      file.name like~ "*bluetooth*" or
      file.name like~ "*rfcomm*" or
      file.name like~ "*obex*"
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (Elastic Agent endpoint integration) Winlogbeat with Sysmon module Elastic Agent Windows event log integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

IT administrators or help desk staff using bluetoothctl, hciconfig, or btmgmt to pair or configure enterprise Bluetooth peripherals such as keyboards, mice, or headsets during routine device provisioning.
IoT or embedded systems developers running obexftp, sdptool, or rfcomm on development workstations as part of authorized Bluetooth protocol testing for mobile or embedded product development.
Automated driver installation or MDM provisioning scripts that write to BTHPORT, BTHENUM, or BthLE registry keys when connecting new Bluetooth adapters or accessories to managed endpoints.
Linux system initialization scripts invoking btmgmt or hciconfig to enumerate or bring up Bluetooth adapters during boot sequences on dual-use workstations.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  username AS "Username",
  sourceip AS "Source IP",
  "Image" AS "Process Image",
  "CommandLine" AS "Command Line",
  "TargetObject" AS "Registry Key",
  "TargetFilename" AS "Target Filename",
  CATEGORYNAME(category) AS "Category",
  QIDNAME(qid) AS "Event Name",
  logsourcename(logsourceid) AS "Log Source"
FROM events
WHERE devicetime > NOW() - 86400000
  AND (
    (
      eventid IN (1, 4688)
      AND (
        LOWER("Image") LIKE '%btattach%' OR
        LOWER("Image") LIKE '%btmgmt%' OR
        LOWER("Image") LIKE '%hciconfig%' OR
        LOWER("Image") LIKE '%hcitool%' OR
        LOWER("Image") LIKE '%hcidump%' OR
        LOWER("Image") LIKE '%bluetoothctl%' OR
        LOWER("Image") LIKE '%sdptool%' OR
        LOWER("Image") LIKE '%rfcomm%' OR
        LOWER("Image") LIKE '%obexftp%' OR
        LOWER("Image") LIKE '%obexd%' OR
        LOWER("Image") LIKE '%fsquirt%' OR
        LOWER("CommandLine") LIKE '%bluetooth%' OR
        LOWER("CommandLine") LIKE '%rfcomm%' OR
        LOWER("CommandLine") LIKE '%obex%' OR
        LOWER("CommandLine") LIKE '%hcitool%' OR
        LOWER("CommandLine") LIKE '%hciconfig%' OR
        LOWER("CommandLine") LIKE '%btmgmt%' OR
        LOWER("CommandLine") LIKE '%bluetoothctl%' OR
        LOWER("CommandLine") LIKE '%bt-adapter%'
      )
    ) OR (
      eventid IN (12, 13)
      AND (
        LOWER("TargetObject") LIKE '%bluetooth%' OR
        LOWER("TargetObject") LIKE '%bthport%' OR
        LOWER("TargetObject") LIKE '%bthenum%' OR
        LOWER("TargetObject") LIKE '%bthle%' OR
        LOWER("TargetObject") LIKE '%rfcomm%' OR
        LOWER("TargetObject") LIKE '%obex%'
      )
    ) OR (
      eventid = 11
      AND (
        LOWER("TargetFilename") LIKE '%bluetooth%' OR
        LOWER("TargetFilename") LIKE '%rfcomm%' OR
        LOWER("TargetFilename") LIKE '%obex%' OR
        LOWER("TargetFilename") LIKE '%btooth%'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Sysmon via Windows Event Log DSM Windows Security Event Log DSM QRadar Universal DSM with Sysmon custom event properties

Required Tables

events

False Positives

IT support personnel using hciconfig, btmgmt, or bluetoothctl on managed endpoints to troubleshoot Bluetooth connectivity or pair enterprise peripherals under a change management ticket.
Windows Plug-and-Play or Bluetooth driver stack installer writing to BTHPORT, BTHENUM, or BthLE registry keys during authorized hardware onboarding events captured by Sysmon Event ID 13.
Developer and QA workstations running obexftp, sdptool, or rfcomm as part of authorized Bluetooth protocol testing for IoT or embedded systems product lines.
System configuration management tools (SCCM, Ansible, Chef) that interact with Bluetooth adapter settings via registry writes or command-line invocations during endpoint build and hardening workflows.

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="linux/syslog" OR _sourceCategory="endpoint*")
| parse regex field=_raw "<EventID>(?P<EventID>\d+)</EventID>" nodrop
| parse regex field=_raw "<Image>(?P<Image>[^<]+)</Image>" nodrop
| parse regex field=_raw "<CommandLine>(?P<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex field=_raw "<TargetObject>(?P<TargetObject>[^<]+)</TargetObject>" nodrop
| parse regex field=_raw "<TargetFilename>(?P<TargetFilename>[^<]+)</TargetFilename>" nodrop
| parse regex field=_raw "<Computer>(?P<Computer>[^<]+)</Computer>" nodrop
| parse regex field=_raw "<User>(?P<User>[^<]+)</User>" nodrop
| where (
    (EventID in ("1", "4688") and (
      Image matches /(?i)(btattach|btmgmt|hciconfig|hcitool|hcidump|bluetoothctl|sdptool|rfcomm|obexftp|obexd|fsquirt)/ or
      CommandLine matches /(?i)(bluetooth|rfcomm|obex|hcitool|hciconfig|btmgmt|bluetoothctl|bt-adapter|bluetoothd)/
    )) or
    (EventID in ("12", "13") and (
      TargetObject matches /(?i)(bluetooth|bthport|bthenum|bthle|rfcomm|obex)/
    )) or
    (EventID = "11" and (
      TargetFilename matches /(?i)(bluetooth|rfcomm|obex|btooth)/
    ))
  )
| if(EventID in ("1", "4688"), "Bluetooth Tool Execution",
    if(EventID in ("12", "13"), "Bluetooth Registry Modification",
    if(EventID = "11", "Bluetooth File Activity", "Unknown"))) as DetectionType
| fields _messageTime, Computer, User, Image, CommandLine, TargetObject, TargetFilename, DetectionType
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon channel) Sumo Logic Installed Collector with Windows Security Event Log source Sumo Logic OpenTelemetry Collector for Linux syslog

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Legitimate IT administration tasks using bluetoothctl, hciconfig, or btmgmt to pair or troubleshoot Bluetooth peripherals on employee endpoints, particularly common in hot-desk or shared hardware environments.
Automated MDM or system provisioning agents writing to BTHPORT or BTHENUM registry keys as part of Bluetooth adapter configuration steps during endpoint imaging or enrollment.
Bluetooth protocol testing tools such as obexftp, sdptool, or rfcomm executed on developer or QA workstations during authorized IoT or mobile application development and integration testing.
macOS and Linux system daemons (bluetoothd, btmgmt) initializing Bluetooth hardware adapters at boot or user session login, forwarded via syslog collectors to Sumo Logic.

Google Chronicle / SecOps

yaral

rule t1011_001_exfiltration_over_bluetooth {
  meta:
    author = "Detection Engineering"
    description = "Detects potential data exfiltration over Bluetooth (T1011.001) via Bluetooth tool execution, Bluetooth stack registry modification, or Bluetooth-related file creation activity."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1011.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1011/001/"
    severity = "HIGH"
    priority = "HIGH"
    platforms = "Windows, Linux"
    created = "2024-01-01"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(btattach|btmgmt|hciconfig|hcitool|hcidump|bluetoothctl|sdptool|rfcomm|obexftp|obexd|bluetooth-sendto|fsquirt\.exe)`) or
        re.regex($e.target.process.command_line,
          `(?i)(bluetooth|rfcomm|obex|hcitool|hciconfig|btmgmt|bluetoothctl|bt-adapter|bluetoothd)`)
      )
    ) or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)(bluetooth|bthport|bthenum|bthle|rfcomm|obex)`)
    ) or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path,
        `(?i)(bluetooth|rfcomm|obex|btooth)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Sysmon UDM ingestion via Chronicle forwarder Chronicle Endpoint Detection telemetry (CrowdStrike, Microsoft Defender, Carbon Black) normalized to UDM Chronicle Linux AuditD / Syslog UDM parser for Linux Bluetooth tool activity

Required Tables

UDM Events — PROCESS_LAUNCH UDM Events — REGISTRY_MODIFICATION UDM Events — FILE_CREATION

False Positives

IT management scripts invoking btmgmt, hciconfig, or bluetoothctl to pair enterprise Bluetooth peripherals during scheduled device provisioning or refresh cycles, generating PROCESS_LAUNCH matches.
Windows Plug-and-Play subsystem or Bluetooth driver installers writing to BTHPORT, BTHENUM, or BthLE registry paths during authorized hardware onboarding, generating REGISTRY_MODIFICATION matches.
Authorized IoT developers on tracked workstations executing obexftp, rfcomm, or sdptool for Bluetooth stack testing as part of product development workflows covered under a threat exception policy.
Linux hosts that load Bluetooth kernel modules and invoke hciconfig or bluetoothd during startup, forwarded to Chronicle and normalized as PROCESS_LAUNCH events in UDM.

CrowdStrike LogScale (CQL)

cql

// T1011.001 - Exfiltration Over Bluetooth
// Covers: process execution, registry modification, and file write activity
#event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2", "RegistryOperationEvent", "PeFileWritten", "NewExecutableWritten")
| case {
    in("#event_simpleName", values=["ProcessRollup2", "SyntheticProcessRollup2"])
    | FileName=/(?i)(btattach|btmgmt|hciconfig|hcitool|hcidump|bluetoothctl|sdptool|rfcomm|obexftp|obexd|bluetooth-sendto|fsquirt\.exe)/
      OR CommandLine=/(?i)(bluetooth|rfcomm|obex|hcitool|hciconfig|btmgmt|bluetoothctl|bt-adapter|bluetoothd)/
    | DetectionType:="Bluetooth Tool Execution";

    #event_simpleName="RegistryOperationEvent"
    | RegObjectName=/(?i)(bluetooth|bthport|bthenum|bthle|rfcomm|obex)/
    | DetectionType:="Bluetooth Registry Modification";

    in("#event_simpleName", values=["PeFileWritten", "NewExecutableWritten"])
    | TargetFileName=/(?i)(bluetooth|rfcomm|obex|btooth)/
    | DetectionType:="Bluetooth File Activity";
  }
| table(
    [_time, ComputerName, UserName, FileName, CommandLine,
     RegObjectName, TargetFileName, ParentBaseFileName, DetectionType]
  )
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection sensor (EDR telemetry) CrowdStrike Falcon LogScale (Humio) data platform CrowdStrike Fusion SIEM connector for correlated event streaming

Required Tables

ProcessRollup2 SyntheticProcessRollup2 RegistryOperationEvent PeFileWritten NewExecutableWritten

False Positives

Authorized IT support staff using Falcon-monitored endpoints to run btmgmt, hciconfig, or bluetoothctl for Bluetooth device troubleshooting or pairing, generating ProcessRollup2 matches under a known-good user account.
CrowdStrike-protected developer workstations where obexftp, rfcomm, or sdptool are invoked as part of authorized Bluetooth stack testing for IoT or embedded product development.
Windows device enrollment workflows where MDM agents trigger RegistryOperationEvent writes to BTHPORT or BTHENUM keys when Bluetooth adapters are initialized during endpoint provisioning.
Automated compliance and audit scripts that enumerate Bluetooth registry keys via reg.exe or PowerShell, generating both ProcessRollup2 and RegistryOperationEvent hits simultaneously.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1011.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exfiltration Over Bluetooth

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Exfiltration

Popular Detections