Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Bluetooth-AirGapCourierExfil.
Upgrade to ProAir-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing
In high-security or OT/ICS environments, endpoint hardening policy typically disables the Bluetooth radio at the service level (bthserv start type set to Disabled) even though the hardware is physically present, precisely to prevent this exfiltration path. An insider or someone with brief physical access can re-enable the disabled service, pair a burner phone or small SBC-based Bluetooth receiver they brought in, and use the built-in OBEX file transfer (fsquirt.exe on Windows, obexftp/bluetoothctl on Linux) to move a staged archive off the host before removing the receiver from the premises — leaving almost no network-layer trace since the transfer never touches a monitored network segment. This is a narrower and higher-confidence variant of generic Bluetooth activity monitoring: the base T1011.001 technique detection watches for any Bluetooth tool execution or registry/file activity, which is noisy in environments where Bluetooth is a normal peripheral channel. This scenario instead keys on the specific sequence that only occurs on a host where Bluetooth was deliberately disabled by policy: a service start-type change from Disabled to Automatic/Manual, followed within a short window by a new device pairing and an OBEX file transfer, ideally combined with off-hours timing. That sequence has essentially no legitimate business explanation on a hardened endpoint and is a strong indicator of deliberate air-gap bridging rather than routine peripheral use.
What is THREAT-Bluetooth-AirGapCourierExfil Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing?
Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing (THREAT-Bluetooth-AirGapCourierExfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.
This page provides production-ready detection logic for Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing, covering the data sources and telemetry it touches: Windows Registry: Registry Key Modification, Windows Registry: Registry Key Creation, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
// Signal 1: bthserv service re-enabled from Disabled to Automatic/Manual start type
let ServiceReEnable =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"Services\bthserv" and RegistryValueName == "Start"
| where RegistryValueData in ("2", "3") // 2=Automatic, 3=Manual (re-enabled from 4=Disabled)
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
InitiatingProcessFileName, RegistryValueData, Signal = "BluetoothServiceReEnabled";
// Signal 2: new Bluetooth device pairing shortly after
let NewPairing =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"BTHPORT\Parameters\Devices"
| where ActionType == "RegistryKeyCreated"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
RegistryKey, Signal = "NewBluetoothPairing";
// Signal 3: OBEX file transfer via fsquirt or equivalent
let ObexTransfer =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("fsquirt.exe", "obexftp", "bluetooth-sendto")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal = "ObexFileTransfer";
// Correlate: service re-enable -> pairing -> transfer, all on same device within 2 hours
ServiceReEnable
| join kind=inner (NewPairing) on DeviceName
| where Timestamp1 > Timestamp and Timestamp1 < Timestamp + 2h
| join kind=inner (ObexTransfer) on DeviceName
| where Timestamp2 > Timestamp1 and Timestamp2 < Timestamp1 + 2h
| extend IsOffHours = hourofday(Timestamp2) < 6 or hourofday(Timestamp2) >= 18
| project DeviceName, AccountName, ServiceReEnableTime = Timestamp, PairingTime = Timestamp1,
TransferTime = Timestamp2, ObexProcess = FileName, ObexCommandLine = ProcessCommandLine, IsOffHours
| sort by TransferTime desc Correlates a three-stage sequence unique to hardened endpoints where Bluetooth is normally disabled: (1) the bthserv service start type changing from Disabled to Automatic or Manual; (2) a new device pairing recorded under the BTHPORT device registry key within 2 hours of the re-enable; (3) an OBEX file transfer (fsquirt.exe or equivalent) within 2 hours of the pairing. All three stages occurring on the same device in sequence is a high-confidence indicator of deliberate air-gap bridging. The IsOffHours field flags transfers occurring outside 06:00-18:00 local time for prioritization.
Data Sources
Required Tables
False Positives
- Authorized IT change ticket temporarily re-enabling Bluetooth for approved peripheral installation (new wireless mouse/keyboard rollout) on a normally-hardened endpoint
- Endpoint reimaging or OS upgrade that resets service start types to vendor defaults before configuration management re-applies the hardening baseline
- Approved exception process for a specific role (e.g., a presenter needing Bluetooth for a conference room display) — should be documented and excluded by device group
Sigma rule & cross-platform mapping
The detection logic for Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing (THREAT-Bluetooth-AirGapCourierExfil) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-Bluetooth-AirGapCourierExfil
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Re-Enable Disabled Bluetooth Service on Windows
Expected signal: Sysmon Event ID 13: registry value change for HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Start from 4 (Disabled) to 3 (Manual/Demand). Windows Event Log System channel Event ID 7040 recording the service start-type change. Sysmon Event ID 1 for sc.exe process creation with 'config bthserv' in the command line.
- Test 2Simulate Bluetooth Device Pairing Registry Entry
Expected signal: Sysmon Event ID 12: RegistryKeyCreated event for the new device key under BTHPORT\Parameters\Devices. Sysmon Event ID 1 for reg.exe process creation with 'add' and the BTHPORT path in the command line.
- Test 3Execute Windows Bluetooth File Transfer Wizard (fsquirt)
Expected signal: Sysmon Event ID 1: process creation for fsquirt.exe with '/SEND' argument. File creation event for the staged test file preceding the transfer attempt.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Bluetooth-AirGapCourierExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month