T1011 IBM QRadar · QRadar

Detect Exfiltration Over Other Network Medium in IBM QRadar

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network monitoring infrastructure. This technique is commonly associated with insider threat scenarios and advanced adversaries who have achieved a foothold and seek to bypass perimeter DLP controls that monitor only the primary wired egress channel.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1011 Exfiltration Over Other Network Medium
Canonical reference
https://attack.mitre.org/techniques/T1011/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  filename AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Path" AS ParentProcess,
  CASE
    WHEN LOWER(filename) LIKE '%netsh.exe%'
      AND (LOWER("Command") LIKE '%wlan%'
        OR LOWER("Command") LIKE '%hostednetwork%'
        OR LOWER("Command") LIKE '%mode=allow%'
        OR LOWER("Command") LIKE '%mode=disallow%'
        OR LOWER("Command") LIKE '%mobile hotspot%')
      THEN 'NetshWlanConfig'
    WHEN LOWER(filename) LIKE '%fsquirt.exe%'
      OR LOWER(filename) LIKE '%bttray.exe%'
      THEN 'BluetoothFileTransfer'
    WHEN (LOWER(filename) LIKE '%powershell.exe%' OR LOWER(filename) LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%bluetooth%'
        OR LOWER("Command") LIKE '%wlan%'
        OR LOWER("Command") LIKE '%wifi%'
        OR LOWER("Command") LIKE '%hostednetwork%'
        OR LOWER("Command") LIKE '%softap%'
        OR LOWER("Command") LIKE '%netadapter%'
        OR LOWER("Command") LIKE '%mobilebroadband%')
      THEN 'PSWirelessManipulation'
    ELSE 'Unknown'
  END AS DetectionBranch,
  CASE
    WHEN LOWER("Command") LIKE '%hostednetwork%'
      OR LOWER("Command") LIKE '%mode=allow%'
      OR LOWER("Command") LIKE '%softap%'
    THEN TRUE ELSE FALSE
  END AS IsHotspotCreation
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 382)
  AND (
    (
      LOWER(filename) LIKE '%netsh.exe%' AND (
        LOWER("Command") LIKE '%wlan%' OR
        LOWER("Command") LIKE '%hostednetwork%' OR
        LOWER("Command") LIKE '%mode=allow%' OR
        LOWER("Command") LIKE '%mode=disallow%' OR
        LOWER("Command") LIKE '%mobile hotspot%'
      )
    ) OR
    LOWER(filename) LIKE '%fsquirt.exe%' OR
    LOWER(filename) LIKE '%bttray.exe%' OR
    (
      (LOWER(filename) LIKE '%powershell.exe%' OR LOWER(filename) LIKE '%pwsh.exe%')
      AND (
        LOWER("Command") LIKE '%bluetooth%' OR
        LOWER("Command") LIKE '%wlan%' OR
        LOWER("Command") LIKE '%wifi%' OR
        LOWER("Command") LIKE '%hostednetwork%' OR
        LOWER("Command") LIKE '%softap%' OR
        LOWER("Command") LIKE '%netadapter%' OR
        LOWER("Command") LIKE '%mobilebroadband%'
      )
    )
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

IBM QRadar AQL query detecting T1011 exfiltration over alternate network mediums. Queries normalized process creation events from the Windows Security Event Log DSM (LOGSOURCETYPEID 12) and Microsoft Sysmon DSM (LOGSOURCETYPEID 382). Uses CASE expressions for branch classification and LIKE pattern matching on the normalized 'filename' and 'Command' custom properties. The 'Command' field must be mapped via a QRadar custom event property extraction rule on EventID 4688 (NewProcessName/CommandLine) and Sysmon EventID 1.

Data Sources

Windows Security Event Log DSM (LOGSOURCETYPEID 12)Microsoft Sysmon DSM (LOGSOURCETYPEID 382)

Required Tables

events

False Positives & Tuning

  • Network operations teams executing scheduled netsh wlan diagnostics or running configuration scripts to provision wireless interfaces during infrastructure rollouts
  • End users or helpdesk staff initiating Bluetooth file transfers via fsquirt.exe or bttray.exe as part of documented peripheral setup or same-desk data-move workflows
  • Automated endpoint management or asset discovery platforms issuing PowerShell Get-NetAdapter or Set-NetConnectionProfile commands during nightly compliance and inventory sweeps
Download portable Sigma rule (.yml)

Other platforms for T1011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Start WiFi Hosted Network via netsh

    Expected signal: Sysmon Event ID 1: Two Process Create events — first with CommandLine containing 'wlan set hostednetwork mode=allow ssid=df00tech-test-exfil', second containing 'wlan start hostednetwork'. Security Event ID 4688 if command-line auditing is enabled. Windows WLAN-AutoConfig Operational Event ID 11000 (Microsoft-Windows-WLAN-AutoConfig: The wireless Hosted Network started successfully). Registry change under HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings.

  2. Test 2Launch Bluetooth File Transfer Wizard (fsquirt.exe)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\fsquirt.exe, ParentImage=powershell.exe, User=current user. Security Event ID 4688 if command-line auditing is enabled. Bluetooth-Driver Operational log may record adapter activation. No file creation or network connection events since no transfer is completed.

  3. Test 3Wireless Adapter Reconnaissance via PowerShell and netsh

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-NetAdapter' and 'PhysicalMediaType'. Child Sysmon Event ID 1 processes for netsh.exe with CommandLine 'wlan show interfaces' and 'wlan show profiles'. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  4. Test 4Linux Bluetooth Device Discovery and OBEX Transfer Preparation

    Expected signal: Linux auditd (if configured with execve rules): SYSCALL records type=EXECVE for hciconfig, hcitool, bluetoothctl, and rfkill with their arguments and auid/uid/pid context. Syslog/journal entries from the Bluetooth daemon (bluetoothd) showing adapter state transitions. If Microsoft Defender for Linux is deployed, DeviceProcessEvents will record these process creation events.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (1)

Related Techniques

T1011.001Exfiltration Over BluetoothT1020Automated ExfiltrationT1074.001Local Data StagingT1560.001Archive via UtilityT1048Exfiltration Over Alternative ProtocolT1052.001Exfiltration over USBT1029Scheduled TransferT1567Exfiltration Over Web ServiceT1078Valid Accounts

Same Tactic: Exfiltration

Popular Detections