Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Bluetooth-AirGapCourierExfil.
Upgrade to ProDetect Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing in Microsoft Sentinel
In high-security or OT/ICS environments, endpoint hardening policy typically disables the Bluetooth radio at the service level (bthserv start type set to Disabled) even though the hardware is physically present, precisely to prevent this exfiltration path. An insider or someone with brief physical access can re-enable the disabled service, pair a burner phone or small SBC-based Bluetooth receiver they brought in, and use the built-in OBEX file transfer (fsquirt.exe on Windows, obexftp/bluetoothctl on Linux) to move a staged archive off the host before removing the receiver from the premises — leaving almost no network-layer trace since the transfer never touches a monitored network segment. This is a narrower and higher-confidence variant of generic Bluetooth activity monitoring: the base T1011.001 technique detection watches for any Bluetooth tool execution or registry/file activity, which is noisy in environments where Bluetooth is a normal peripheral channel. This scenario instead keys on the specific sequence that only occurs on a host where Bluetooth was deliberately disabled by policy: a service start-type change from Disabled to Automatic/Manual, followed within a short window by a new device pairing and an OBEX file transfer, ideally combined with off-hours timing. That sequence has essentially no legitimate business explanation on a hardened endpoint and is a strong indicator of deliberate air-gap bridging rather than routine peripheral use.
MITRE ATT&CK
- Tactic
- Exfiltration
KQL Detection Query
// Signal 1: bthserv service re-enabled from Disabled to Automatic/Manual start type
let ServiceReEnable =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"Services\bthserv" and RegistryValueName == "Start"
| where RegistryValueData in ("2", "3") // 2=Automatic, 3=Manual (re-enabled from 4=Disabled)
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
InitiatingProcessFileName, RegistryValueData, Signal = "BluetoothServiceReEnabled";
// Signal 2: new Bluetooth device pairing shortly after
let NewPairing =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"BTHPORT\Parameters\Devices"
| where ActionType == "RegistryKeyCreated"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
RegistryKey, Signal = "NewBluetoothPairing";
// Signal 3: OBEX file transfer via fsquirt or equivalent
let ObexTransfer =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("fsquirt.exe", "obexftp", "bluetooth-sendto")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal = "ObexFileTransfer";
// Correlate: service re-enable -> pairing -> transfer, all on same device within 2 hours
ServiceReEnable
| join kind=inner (NewPairing) on DeviceName
| where Timestamp1 > Timestamp and Timestamp1 < Timestamp + 2h
| join kind=inner (ObexTransfer) on DeviceName
| where Timestamp2 > Timestamp1 and Timestamp2 < Timestamp1 + 2h
| extend IsOffHours = hourofday(Timestamp2) < 6 or hourofday(Timestamp2) >= 18
| project DeviceName, AccountName, ServiceReEnableTime = Timestamp, PairingTime = Timestamp1,
TransferTime = Timestamp2, ObexProcess = FileName, ObexCommandLine = ProcessCommandLine, IsOffHours
| sort by TransferTime desc Correlates a three-stage sequence unique to hardened endpoints where Bluetooth is normally disabled: (1) the bthserv service start type changing from Disabled to Automatic or Manual; (2) a new device pairing recorded under the BTHPORT device registry key within 2 hours of the re-enable; (3) an OBEX file transfer (fsquirt.exe or equivalent) within 2 hours of the pairing. All three stages occurring on the same device in sequence is a high-confidence indicator of deliberate air-gap bridging. The IsOffHours field flags transfers occurring outside 06:00-18:00 local time for prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT change ticket temporarily re-enabling Bluetooth for approved peripheral installation (new wireless mouse/keyboard rollout) on a normally-hardened endpoint
- Endpoint reimaging or OS upgrade that resets service start types to vendor defaults before configuration management re-applies the hardening baseline
- Approved exception process for a specific role (e.g., a presenter needing Bluetooth for a conference room display) — should be documented and excluded by device group
Other platforms for THREAT-Bluetooth-AirGapCourierExfil
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Re-Enable Disabled Bluetooth Service on Windows
Expected signal: Sysmon Event ID 13: registry value change for HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Start from 4 (Disabled) to 3 (Manual/Demand). Windows Event Log System channel Event ID 7040 recording the service start-type change. Sysmon Event ID 1 for sc.exe process creation with 'config bthserv' in the command line.
- Test 2Simulate Bluetooth Device Pairing Registry Entry
Expected signal: Sysmon Event ID 12: RegistryKeyCreated event for the new device key under BTHPORT\Parameters\Devices. Sysmon Event ID 1 for reg.exe process creation with 'add' and the BTHPORT path in the command line.
- Test 3Execute Windows Bluetooth File Transfer Wizard (fsquirt)
Expected signal: Sysmon Event ID 1: process creation for fsquirt.exe with '/SEND' argument. File creation event for the staged test file preceding the transfer attempt.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Bluetooth-AirGapCourierExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month