Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Bluetooth-AirGapCourierExfil.

Upgrade to Pro
THREAT-Bluetooth-AirGapCourierExfil Microsoft Sentinel · KQL

Detect Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing in Microsoft Sentinel

In high-security or OT/ICS environments, endpoint hardening policy typically disables the Bluetooth radio at the service level (bthserv start type set to Disabled) even though the hardware is physically present, precisely to prevent this exfiltration path. An insider or someone with brief physical access can re-enable the disabled service, pair a burner phone or small SBC-based Bluetooth receiver they brought in, and use the built-in OBEX file transfer (fsquirt.exe on Windows, obexftp/bluetoothctl on Linux) to move a staged archive off the host before removing the receiver from the premises — leaving almost no network-layer trace since the transfer never touches a monitored network segment. This is a narrower and higher-confidence variant of generic Bluetooth activity monitoring: the base T1011.001 technique detection watches for any Bluetooth tool execution or registry/file activity, which is noisy in environments where Bluetooth is a normal peripheral channel. This scenario instead keys on the specific sequence that only occurs on a host where Bluetooth was deliberately disabled by policy: a service start-type change from Disabled to Automatic/Manual, followed within a short window by a new device pairing and an OBEX file transfer, ideally combined with off-hours timing. That sequence has essentially no legitimate business explanation on a hardened endpoint and is a strong indicator of deliberate air-gap bridging rather than routine peripheral use.

MITRE ATT&CK

Tactic
Exfiltration

KQL Detection Query

Microsoft Sentinel (KQL)
kusto
// Signal 1: bthserv service re-enabled from Disabled to Automatic/Manual start type
let ServiceReEnable =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"Services\bthserv" and RegistryValueName == "Start"
| where RegistryValueData in ("2", "3") // 2=Automatic, 3=Manual (re-enabled from 4=Disabled)
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         InitiatingProcessFileName, RegistryValueData, Signal = "BluetoothServiceReEnabled";
// Signal 2: new Bluetooth device pairing shortly after
let NewPairing =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"BTHPORT\Parameters\Devices"
| where ActionType == "RegistryKeyCreated"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         RegistryKey, Signal = "NewBluetoothPairing";
// Signal 3: OBEX file transfer via fsquirt or equivalent
let ObexTransfer =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("fsquirt.exe", "obexftp", "bluetooth-sendto")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal = "ObexFileTransfer";
// Correlate: service re-enable -> pairing -> transfer, all on same device within 2 hours
ServiceReEnable
| join kind=inner (NewPairing) on DeviceName
| where Timestamp1 > Timestamp and Timestamp1 < Timestamp + 2h
| join kind=inner (ObexTransfer) on DeviceName
| where Timestamp2 > Timestamp1 and Timestamp2 < Timestamp1 + 2h
| extend IsOffHours = hourofday(Timestamp2) < 6 or hourofday(Timestamp2) >= 18
| project DeviceName, AccountName, ServiceReEnableTime = Timestamp, PairingTime = Timestamp1,
         TransferTime = Timestamp2, ObexProcess = FileName, ObexCommandLine = ProcessCommandLine, IsOffHours
| sort by TransferTime desc
high severity high confidence

Correlates a three-stage sequence unique to hardened endpoints where Bluetooth is normally disabled: (1) the bthserv service start type changing from Disabled to Automatic or Manual; (2) a new device pairing recorded under the BTHPORT device registry key within 2 hours of the re-enable; (3) an OBEX file transfer (fsquirt.exe or equivalent) within 2 hours of the pairing. All three stages occurring on the same device in sequence is a high-confidence indicator of deliberate air-gap bridging. The IsOffHours field flags transfers occurring outside 06:00-18:00 local time for prioritization.

Data Sources

Windows Registry: Registry Key ModificationWindows Registry: Registry Key CreationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceProcessEvents

False Positives & Tuning

  • Authorized IT change ticket temporarily re-enabling Bluetooth for approved peripheral installation (new wireless mouse/keyboard rollout) on a normally-hardened endpoint
  • Endpoint reimaging or OS upgrade that resets service start types to vendor defaults before configuration management re-applies the hardening baseline
  • Approved exception process for a specific role (e.g., a presenter needing Bluetooth for a conference room display) — should be documented and excluded by device group

Other platforms for THREAT-Bluetooth-AirGapCourierExfil


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Re-Enable Disabled Bluetooth Service on Windows

    Expected signal: Sysmon Event ID 13: registry value change for HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Start from 4 (Disabled) to 3 (Manual/Demand). Windows Event Log System channel Event ID 7040 recording the service start-type change. Sysmon Event ID 1 for sc.exe process creation with 'config bthserv' in the command line.

  2. Test 2Simulate Bluetooth Device Pairing Registry Entry

    Expected signal: Sysmon Event ID 12: RegistryKeyCreated event for the new device key under BTHPORT\Parameters\Devices. Sysmon Event ID 1 for reg.exe process creation with 'add' and the BTHPORT path in the command line.

  3. Test 3Execute Windows Bluetooth File Transfer Wizard (fsquirt)

    Expected signal: Sysmon Event ID 1: process creation for fsquirt.exe with '/SEND' argument. File creation event for the staged test file preceding the transfer attempt.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Bluetooth-AirGapCourierExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections