T1011.001 IBM QRadar · QRadar

Detect Exfiltration Over Bluetooth in IBM QRadar

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. Real-world examples include the Flame malware's BeetleJuice module, which transmitted encoded data over Bluetooth and acted as a Bluetooth beacon to identify nearby Bluetooth-enabled devices.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1011 Exfiltration Over Other Network Medium
Sub-technique
T1011.001 Exfiltration Over Bluetooth
Canonical reference
https://attack.mitre.org/techniques/T1011/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  username AS "Username",
  sourceip AS "Source IP",
  "Image" AS "Process Image",
  "CommandLine" AS "Command Line",
  "TargetObject" AS "Registry Key",
  "TargetFilename" AS "Target Filename",
  CATEGORYNAME(category) AS "Category",
  QIDNAME(qid) AS "Event Name",
  logsourcename(logsourceid) AS "Log Source"
FROM events
WHERE devicetime > NOW() - 86400000
  AND (
    (
      eventid IN (1, 4688)
      AND (
        LOWER("Image") LIKE '%btattach%' OR
        LOWER("Image") LIKE '%btmgmt%' OR
        LOWER("Image") LIKE '%hciconfig%' OR
        LOWER("Image") LIKE '%hcitool%' OR
        LOWER("Image") LIKE '%hcidump%' OR
        LOWER("Image") LIKE '%bluetoothctl%' OR
        LOWER("Image") LIKE '%sdptool%' OR
        LOWER("Image") LIKE '%rfcomm%' OR
        LOWER("Image") LIKE '%obexftp%' OR
        LOWER("Image") LIKE '%obexd%' OR
        LOWER("Image") LIKE '%fsquirt%' OR
        LOWER("CommandLine") LIKE '%bluetooth%' OR
        LOWER("CommandLine") LIKE '%rfcomm%' OR
        LOWER("CommandLine") LIKE '%obex%' OR
        LOWER("CommandLine") LIKE '%hcitool%' OR
        LOWER("CommandLine") LIKE '%hciconfig%' OR
        LOWER("CommandLine") LIKE '%btmgmt%' OR
        LOWER("CommandLine") LIKE '%bluetoothctl%' OR
        LOWER("CommandLine") LIKE '%bt-adapter%'
      )
    ) OR (
      eventid IN (12, 13)
      AND (
        LOWER("TargetObject") LIKE '%bluetooth%' OR
        LOWER("TargetObject") LIKE '%bthport%' OR
        LOWER("TargetObject") LIKE '%bthenum%' OR
        LOWER("TargetObject") LIKE '%bthle%' OR
        LOWER("TargetObject") LIKE '%rfcomm%' OR
        LOWER("TargetObject") LIKE '%obex%'
      )
    ) OR (
      eventid = 11
      AND (
        LOWER("TargetFilename") LIKE '%bluetooth%' OR
        LOWER("TargetFilename") LIKE '%rfcomm%' OR
        LOWER("TargetFilename") LIKE '%obex%' OR
        LOWER("TargetFilename") LIKE '%btooth%'
      )
    )
  )
ORDER BY starttime DESC
high severity medium confidence

IBM QRadar AQL query detecting Bluetooth exfiltration indicators across three Sysmon/Security event categories. Event IDs 1 and 4688 detect Bluetooth tool execution by matching process Image path and CommandLine against known Bluetooth utilities. Sysmon Event IDs 12 and 13 detect registry modifications to Bluetooth stack keys. Sysmon Event ID 11 detects file creation activity with Bluetooth-related path strings. Custom event properties (Image, CommandLine, TargetObject, TargetFilename) must be mapped from Sysmon XML via the QRadar DSM or custom property configuration.

Data Sources

Microsoft Sysmon via Windows Event Log DSMWindows Security Event Log DSMQRadar Universal DSM with Sysmon custom event properties

Required Tables

events

False Positives & Tuning

  • IT support personnel using hciconfig, btmgmt, or bluetoothctl on managed endpoints to troubleshoot Bluetooth connectivity or pair enterprise peripherals under a change management ticket.
  • Windows Plug-and-Play or Bluetooth driver stack installer writing to BTHPORT, BTHENUM, or BthLE registry keys during authorized hardware onboarding events captured by Sysmon Event ID 13.
  • Developer and QA workstations running obexftp, sdptool, or rfcomm as part of authorized Bluetooth protocol testing for IoT or embedded systems product lines.
  • System configuration management tools (SCCM, Ansible, Chef) that interact with Bluetooth adapter settings via registry writes or command-line invocations during endpoint build and hardening workflows.
Download portable Sigma rule (.yml)

Other platforms for T1011.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Bluetooth Devices on Windows

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-PnpDevice' and 'Bluetooth'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration command. No registry modification events, but PnpDevice queries may appear in Windows Plug and Play logs.

  2. Test 2Linux Bluetooth Device Scan with hcitool

    Expected signal: Linux auditd: execve syscall for hcitool with arguments 'scan' and 'lescan'. Syslog/daemon.log: bluetoothd activity logs showing scan initiation. If auditd is configured with execve monitoring: type=EXECVE msg= records with a0='hcitool' a1='scan'. Sysmon for Linux Event ID 1 if deployed.

  3. Test 3Transfer File via OBEX over Bluetooth on Linux

    Expected signal: Linux auditd/Sysmon: execve event for obexftp with arguments including '--bluetooth', a MAC address, and '--put' with the file path. File creation event for /tmp/bt_test_exfil.txt. The process will exit with an error but telemetry is generated. Syslog may show bluetoothd connection attempt to the specified MAC address.

  4. Test 4Python Bluetooth Exfiltration Script Execution (Windows/Linux)

    Expected signal: Sysmon Event ID 1: Process Create for python3.exe or python.exe with CommandLine referencing Bluetooth. Child process creation: powershell.exe spawned by python with 'Get-PnpDevice -Class Bluetooth'. Sysmon Event ID 1 for the child powershell.exe. PowerShell ScriptBlock Log Event ID 4104 for the enumeration command.

  5. Test 5Bluetooth Registry Key Inspection for Paired Devices

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with query arguments targeting BTHPORT. If PowerShell fallback executes: Sysmon Event ID 1 for powershell.exe with BTHPORT in CommandLine. Sysmon Event ID 12 (Registry key access) for HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1011.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1011Exfiltration Over Other Network Medium

Related Techniques

T1011Exfiltration Over Other Network MediumT1030Data Transfer Size LimitsT1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1074.001Local Data StagingT1005Data from Local SystemT1120Peripheral Device DiscoveryT1200Hardware AdditionsT1052Exfiltration Over Physical Medium

Same Tactic: Exfiltration

Popular Detections