Detect Exfiltration Over Other Network Medium in Microsoft Sentinel
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network monitoring infrastructure. This technique is commonly associated with insider threat scenarios and advanced adversaries who have achieved a foothold and seek to bypass perimeter DLP controls that monitor only the primary wired egress channel.
MITRE ATT&CK
- Tactic
- Exfiltration
- Canonical reference
- https://attack.mitre.org/techniques/T1011/
KQL Detection Query
let WirelessHotspotPatterns = dynamic([
"hostednetwork", "start hostednetwork", "mode=allow", "mode=disallow",
"mobile hotspot", "set hostednetwork"
]);
let WirelessDiscoveryPatterns = dynamic([
"show interface", "show networks", "show profiles",
"show wlanreport", "show hostednetwork", "show drivers"
]);
let BluetoothTransferBinaries = dynamic([
"fsquirt.exe", "bttray.exe"
]);
let SuspiciousParents = dynamic([
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe"
]);
// Branch 1: netsh wlan commands for hotspot creation or wireless interface manipulation
let NetshWlanBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "wlan" or ProcessCommandLine has_any (WirelessHotspotPatterns)
| extend DetectionBranch = "NetshWlanConfig"
| extend IsHotspotCreation = ProcessCommandLine has_any (["hostednetwork", "mode=allow", "start hostednetwork"])
| extend IsWirelessDiscovery = ProcessCommandLine has_any (WirelessDiscoveryPatterns);
// Branch 2: Bluetooth file transfer wizard and tray utilities
let BluetoothTransferBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (BluetoothTransferBinaries)
| extend DetectionBranch = "BluetoothFileTransfer"
| extend IsHotspotCreation = false
| extend IsWirelessDiscovery = false;
// Branch 3: PowerShell manipulating wireless or Bluetooth adapters — higher-fidelity if spawned from suspicious parent
let PSWirelessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ([
"Bluetooth", "WiFi", "WLAN", "MobileBroadband",
"NetAdapter", "New-WiFiProfile", "Get-NetAdapter",
"Set-NetConnectionProfile", "Add-VpnConnection",
"SoftAP", "HostedNetwork"
])
| where InitiatingProcessFileName has_any (SuspiciousParents)
or ProcessCommandLine has_any (["-enc", "-EncodedCommand", "Compress-Archive", "DownloadFile", "exfil"])
| extend DetectionBranch = "PSWirelessManipulation"
| extend IsHotspotCreation = ProcessCommandLine has_any (["HostedNetwork", "SoftAP", "hotspot"])
| extend IsWirelessDiscovery = ProcessCommandLine has_any (["Get-NetAdapter", "Get-WiFiProfile", "show"]);
union NetshWlanBranch, BluetoothTransferBranch, PSWirelessBranch
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, IsHotspotCreation, IsWirelessDiscovery
| sort by Timestamp descDetects potential exfiltration over alternative network mediums by monitoring suspicious wireless configuration commands, Bluetooth file transfer tool execution, and PowerShell-based wireless adapter manipulation. Three detection branches cover: (1) netsh wlan hotspot creation and wireless interface commands, (2) Windows Bluetooth file transfer wizard (fsquirt.exe, bttray.exe) execution, and (3) PowerShell manipulating wireless/Bluetooth adapters when spawned from suspicious parents or combined with data staging patterns. Targets adversaries establishing alternative egress channels that bypass enterprise perimeter DLP monitoring on the primary wired interface.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running netsh wlan commands to diagnose wireless connectivity issues or manage corporate wireless profiles
- Help desk staff using netsh wlan show commands for network troubleshooting on user endpoints
- MDM/EMM agents (Microsoft Intune, SCCM/MECM) deploying or updating wireless configuration profiles via PowerShell
- End users legitimately transferring personal files to Bluetooth peripherals (headphones, phones) via fsquirt.exe
- Network assessment or inventory tools querying wireless adapter status and available SSIDs
Other platforms for T1011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Start WiFi Hosted Network via netsh
Expected signal: Sysmon Event ID 1: Two Process Create events — first with CommandLine containing 'wlan set hostednetwork mode=allow ssid=df00tech-test-exfil', second containing 'wlan start hostednetwork'. Security Event ID 4688 if command-line auditing is enabled. Windows WLAN-AutoConfig Operational Event ID 11000 (Microsoft-Windows-WLAN-AutoConfig: The wireless Hosted Network started successfully). Registry change under HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings.
- Test 2Launch Bluetooth File Transfer Wizard (fsquirt.exe)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\fsquirt.exe, ParentImage=powershell.exe, User=current user. Security Event ID 4688 if command-line auditing is enabled. Bluetooth-Driver Operational log may record adapter activation. No file creation or network connection events since no transfer is completed.
- Test 3Wireless Adapter Reconnaissance via PowerShell and netsh
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-NetAdapter' and 'PhysicalMediaType'. Child Sysmon Event ID 1 processes for netsh.exe with CommandLine 'wlan show interfaces' and 'wlan show profiles'. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
- Test 4Linux Bluetooth Device Discovery and OBEX Transfer Preparation
Expected signal: Linux auditd (if configured with execve rules): SYSCALL records type=EXECVE for hciconfig, hcitool, bluetoothctl, and rfkill with their arguments and auid/uid/pid context. Syslog/journal entries from the Bluetooth daemon (bluetoothd) showing adapter state transitions. If Microsoft Defender for Linux is deployed, DeviceProcessEvents will record these process creation events.
References (8)
- https://attack.mitre.org/techniques/T1011/
- https://attack.mitre.org/techniques/T1011/001/
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
- https://learn.microsoft.com/en-us/windows/win32/wlanapi/about-the-wireless-hosted-network
- https://learn.microsoft.com/en-us/windows-hardware/drivers/bluetooth/bluetooth-faq--transferring-files-faq
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1011/T1011.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
- https://learn.microsoft.com/en-us/windows/win32/bluetooth/bluetooth-and-bluetooth-le
Unlock Pro Content
Get the full detection package for T1011 including response playbook, investigation guide, and atomic red team tests.