Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Bluetooth-AirGapCourierExfil.

Upgrade to Pro
THREAT-Bluetooth-AirGapCourierExfil Splunk · SPL

Detect Air-Gap Bridging via Rogue Bluetooth Re-Enablement and Courier Device Pairing in Splunk

In high-security or OT/ICS environments, endpoint hardening policy typically disables the Bluetooth radio at the service level (bthserv start type set to Disabled) even though the hardware is physically present, precisely to prevent this exfiltration path. An insider or someone with brief physical access can re-enable the disabled service, pair a burner phone or small SBC-based Bluetooth receiver they brought in, and use the built-in OBEX file transfer (fsquirt.exe on Windows, obexftp/bluetoothctl on Linux) to move a staged archive off the host before removing the receiver from the premises — leaving almost no network-layer trace since the transfer never touches a monitored network segment. This is a narrower and higher-confidence variant of generic Bluetooth activity monitoring: the base T1011.001 technique detection watches for any Bluetooth tool execution or registry/file activity, which is noisy in environments where Bluetooth is a normal peripheral channel. This scenario instead keys on the specific sequence that only occurs on a host where Bluetooth was deliberately disabled by policy: a service start-type change from Disabled to Automatic/Manual, followed within a short window by a new device pairing and an OBEX file transfer, ideally combined with off-hours timing. That sequence has essentially no legitimate business explanation on a hardened endpoint and is a strong indicator of deliberate air-gap bridging rather than routine peripheral use.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
| multisearch
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
  TargetObject="*Services\\bthserv\\Start*" (Details="2" OR Details="3" OR Details="0x00000002" OR Details="0x00000003")
  | eval Signal="BluetoothServiceReEnabled"
  | table _time, host, User, TargetObject, Details, Signal ]
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12
  TargetObject="*BTHPORT\\Parameters\\Devices*" EventType="CreateKey"
  | eval Signal="NewBluetoothPairing"
  | table _time, host, User, TargetObject, Signal ]
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\fsquirt.exe" OR Image="*\\obexftp" OR Image="*bluetooth-sendto*")
  | eval Signal="ObexFileTransfer"
  | table _time, host, User, Image, CommandLine, Signal ]
| sort 0 host, _time
| stats list(Signal) as Signals, list(_time) as Times by host
| where mvcount(Signals) >= 3 AND mvfind(Signals, "BluetoothServiceReEnabled") >= 0 AND mvfind(Signals, "NewBluetoothPairing") >= 0 AND mvfind(Signals, "ObexFileTransfer") >= 0
high severity high confidence

SPL detection combining three Sysmon registry/process signals on the same host: bthserv Start value change to Automatic/Manual (Event ID 12/13), new BTHPORT device pairing key creation (Event ID 12), and an OBEX transfer tool execution (Event ID 1). The final stats stage requires all three signal types to be present for the same host before surfacing an alert, replicating the ordered correlation expressed natively in the KQL query.

Data Sources

Sysmon Event ID 1Sysmon Event ID 12Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized IT change re-enabling Bluetooth for approved peripheral installation
  • Endpoint reimaging resetting service start types before hardening baseline is reapplied
  • Documented exception process for a specific role requiring Bluetooth

Other platforms for THREAT-Bluetooth-AirGapCourierExfil


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Re-Enable Disabled Bluetooth Service on Windows

    Expected signal: Sysmon Event ID 13: registry value change for HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Start from 4 (Disabled) to 3 (Manual/Demand). Windows Event Log System channel Event ID 7040 recording the service start-type change. Sysmon Event ID 1 for sc.exe process creation with 'config bthserv' in the command line.

  2. Test 2Simulate Bluetooth Device Pairing Registry Entry

    Expected signal: Sysmon Event ID 12: RegistryKeyCreated event for the new device key under BTHPORT\Parameters\Devices. Sysmon Event ID 1 for reg.exe process creation with 'add' and the BTHPORT path in the command line.

  3. Test 3Execute Windows Bluetooth File Transfer Wizard (fsquirt)

    Expected signal: Sysmon Event ID 1: process creation for fsquirt.exe with '/SEND' argument. File creation event for the staged test file preceding the transfer attempt.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Bluetooth-AirGapCourierExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections