Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Bluetooth-AirGapCourierExfil.
Upgrade to ProDetect Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing in Google Chronicle
In high-security or OT/ICS environments, endpoint hardening policy typically disables the Bluetooth radio at the service level (bthserv start type set to Disabled) even though the hardware is physically present, precisely to prevent this exfiltration path. An insider or someone with brief physical access can re-enable the disabled service, pair a burner phone or small SBC-based Bluetooth receiver they brought in, and use the built-in OBEX file transfer (fsquirt.exe on Windows, obexftp/bluetoothctl on Linux) to move a staged archive off the host before removing the receiver from the premises — leaving almost no network-layer trace since the transfer never touches a monitored network segment. This is a narrower and higher-confidence variant of generic Bluetooth activity monitoring: the base T1011.001 technique detection watches for any Bluetooth tool execution or registry/file activity, which is noisy in environments where Bluetooth is a normal peripheral channel. This scenario instead keys on the specific sequence that only occurs on a host where Bluetooth was deliberately disabled by policy: a service start-type change from Disabled to Automatic/Manual, followed within a short window by a new device pairing and an OBEX file transfer, ideally combined with off-hours timing. That sequence has essentially no legitimate business explanation on a hardened endpoint and is a strong indicator of deliberate air-gap bridging rather than routine peripheral use.
MITRE ATT&CK
- Tactic
- Exfiltration
YARA-L Detection Query
rule airgap_bluetooth_bridging {
meta:
author = "df00tech"
description = "Detects re-enablement of a policy-disabled Bluetooth service followed by new device pairing and an OBEX file transfer on the same host"
severity = "HIGH"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1011.001"
reference = "https://attack.mitre.org/techniques/T1011/001/"
events:
$svc.metadata.event_type = "REGISTRY_MODIFICATION"
re.regex($svc.target.registry.registry_key, `(?i)bthserv\\start`)
$pair.metadata.event_type = "REGISTRY_MODIFICATION"
re.regex($pair.target.registry.registry_key, `(?i)bthport\\parameters\\devices`)
$xfer.metadata.event_type = "PROCESS_LAUNCH"
re.regex($xfer.target.process.file.full_path, `(?i)(fsquirt|obexftp)`)
$hostname = $svc.principal.hostname
$hostname = $pair.principal.hostname
$hostname = $xfer.principal.hostname
$svc.metadata.event_timestamp.seconds < $pair.metadata.event_timestamp.seconds
$pair.metadata.event_timestamp.seconds < $xfer.metadata.event_timestamp.seconds
condition:
$svc and $pair and $xfer
} Chronicle YARA-L 2.0 rule joining three UDM events on shared hostname and enforcing timestamp ordering: Bluetooth service re-enablement, new device pairing, then an OBEX transfer tool launch — reconstructing the full air-gap bridging sequence.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT change re-enabling Bluetooth for approved peripheral installation
- Endpoint reimaging resetting service start types before hardening baseline reapplied
Other platforms for THREAT-Bluetooth-AirGapCourierExfil
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Re-Enable Disabled Bluetooth Service on Windows
Expected signal: Sysmon Event ID 13: registry value change for HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Start from 4 (Disabled) to 3 (Manual/Demand). Windows Event Log System channel Event ID 7040 recording the service start-type change. Sysmon Event ID 1 for sc.exe process creation with 'config bthserv' in the command line.
- Test 2Simulate Bluetooth Device Pairing Registry Entry
Expected signal: Sysmon Event ID 12: RegistryKeyCreated event for the new device key under BTHPORT\Parameters\Devices. Sysmon Event ID 1 for reg.exe process creation with 'add' and the BTHPORT path in the command line.
- Test 3Execute Windows Bluetooth File Transfer Wizard (fsquirt)
Expected signal: Sysmon Event ID 1: process creation for fsquirt.exe with '/SEND' argument. File creation event for the staged test file preceding the transfer attempt.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Bluetooth-AirGapCourierExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month