Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USBTethering-NetworkBypassExfil.

Upgrade to Pro
THREAT-USBTethering-NetworkBypassExfil

Exfiltration Over Other Network Medium — Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass)

Exfiltration Last updated:

Exfiltration Over Other Network Medium (T1011) covers cases where an adversary routes data over a network channel other than the compromised host's primary, monitored corporate connection. One of the most practical instances of this on modern managed endpoints is USB cellular-modem or mobile-hotspot tethering: an operator (insider or malware with local/physical access) plugs an Android device configured for USB tethering, or an iPhone in Personal Hotspot mode, into a corporate workstation. Windows enumerates the phone as a USB RNDIS (Remote NDIS) network adapter and installs it automatically using an in-box driver (usbrndis6.inf or wceusbsh.inf for Windows Mobile Device Center-class devices), creating a second, fully-routable network path that bypasses the corporate proxy, DLP egress inspection, and firewall egress rules entirely — traffic over the tethered adapter never touches the monitored network segment. This is distinct from Bluetooth-based exfiltration (T1011.001, covered separately in this corpus), which uses a fundamentally different protocol stack and driver class, and distinct from T1052.001 (Exfiltration over USB), which covers copying data to USB mass-storage rather than using USB as a network transport. Because RNDIS tethering devices install via Windows' standard Plug and Play driver framework, their arrival is reliably observable in the registry even when process-level or network-flow visibility into the tethered link itself is unavailable (the OS routes traffic over the new adapter, which most EDR network sensors do not separately attribute).

What is THREAT-USBTethering-NetworkBypassExfil Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass)?

Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass) (THREAT-USBTethering-NetworkBypassExfil) is a sub-technique of Exfiltration Over Other Network Medium (T1011) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.

This page provides production-ready detection logic for Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass), covering the data sources and telemetry it touches: Windows Registry: Registry Key Modification, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint (DeviceRegistryEvents, DeviceNetworkEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let LookbackWindow = 24h;
let RndisClassGuid = "{4d36e972-e325-11ce-bfc1-08002be10318}";
let TetherIndicators = dynamic([
  "usbrndis6.inf", "wceusbsh.inf", "RNDIS", "Android Bootloader Interface",
  "Apple Mobile Device", "iPhone", "Personal Hotspot", "Remote NDIS"
]);
let RndisRegistryEvents =
  DeviceRegistryEvents
  | where Timestamp > ago(LookbackWindow)
  | where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
  | where RegistryKey has RndisClassGuid
      or RegistryValueData has_any (TetherIndicators)
      or RegistryKey has_any ("Enum\\USB", "Enum\\USBSTOR")
  | where RegistryValueData has_any (TetherIndicators) or RegistryKey has RndisClassGuid
  | project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
      RegistryKey, RegistryValueName, RegistryValueData,
      InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType = "RNDIS Tethering Device Installed";
let TetheredSubnetTraffic =
  DeviceNetworkEvents
  | where Timestamp > ago(LookbackWindow)
  | where ipv4_is_in_range(LocalIP, "192.168.42.0/24") or ipv4_is_in_range(LocalIP, "192.168.43.0/24") or ipv4_is_in_range(LocalIP, "172.20.10.0/28")
  | project Timestamp, DeviceName, AccountName, LocalIP, RemoteIP, RemoteUrl,
      InitiatingProcessFileName, InitiatingProcessCommandLine,
      RegistryKey = "", RegistryValueName = "", RegistryValueData = "", DetectionType = "Traffic Over Known Tethered-Subnet IP";
RndisRegistryEvents
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType
| union (TetheredSubnetTraffic | project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType)
| sort by Timestamp desc

Detects USB RNDIS tethering device installation via DeviceRegistryEvents, matching either the Windows Network adapter class GUID ({4d36e972-e325-11ce-bfc1-08002be10318}) being populated with an RNDIS/mobile-device driver, or PnP registry value data containing known tethering-vendor strings (Apple Mobile Device, Android Bootloader Interface, RNDIS). Correlates with a second signal for outbound connections whose LocalIP falls in the RFC1918 ranges Android and iOS use by default for USB/hotspot tethering NAT (192.168.42.0/24, 192.168.43.0/24, 172.20.10.0/28), which is the actual channel the exfiltrated data would traverse once the adapter is active.

high severity medium confidence

Data Sources

Windows Registry: Registry Key Modification Network Traffic: Network Connection Creation Microsoft Defender for Endpoint (DeviceRegistryEvents, DeviceNetworkEvents)

Required Tables

DeviceRegistryEvents DeviceNetworkEvents

False Positives

  • IT-approved break-glass internet failover using an employee's personal phone as a tethered hotspot during an ISP or corporate network outage
  • Field/remote workers on company-issued devices legitimately using phone tethering where no wired or WiFi corporate network is available and policy permits it
  • Mobile device management (MDM) or BYOD test benches that intentionally connect phones via USB for provisioning, not tethering
  • Developers debugging Android/iOS applications over a USB connection (adb/Xcode) that also exposes an RNDIS interface as a side effect of the debug driver

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass) (THREAT-USBTethering-NetworkBypassExfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated RNDIS Network Adapter Class Registry Write

    Expected signal: Sysmon Event ID 13 (Registry Value Set) / DeviceRegistryEvents: a value write under the test key with data containing 'Remote NDIS', 'Android Bootloader Interface', and 'usbrndis6.inf'.

  2. Test 2Simulated Traffic Over a Tethered-Subnet IP Range

    Expected signal: Sysmon Event ID 3 (Network Connection) / DeviceNetworkEvents: an outbound connection with LocalIP/SourceIp of 192.168.42.100, matching the Android default USB-tethering NAT subnet.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-USBTethering-NetworkBypassExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections