Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USBTethering-NetworkBypassExfil.
Upgrade to ProDetect Data Exfiltration via USB Cellular Modem / Mobile Hotspot Tethering (Corporate Network Bypass) in Sumo Logic CSE
Exfiltration Over Other Network Medium (T1011) covers cases where an adversary routes data over a network channel other than the compromised host's primary, monitored corporate connection. One of the most practical instances of this on modern managed endpoints is USB cellular-modem or mobile-hotspot tethering: an operator (insider or malware with local/physical access) plugs an Android device configured for USB tethering, or an iPhone in Personal Hotspot mode, into a corporate workstation. Windows enumerates the phone as a USB RNDIS (Remote NDIS) network adapter and installs it automatically using an in-box driver (usbrndis6.inf or wceusbsh.inf for Windows Mobile Device Center-class devices), creating a second, fully-routable network path that bypasses the corporate proxy, DLP egress inspection, and firewall egress rules entirely — traffic over the tethered adapter never touches the monitored network segment. This is distinct from Bluetooth-based exfiltration (T1011.001, covered separately in this corpus), which uses a fundamentally different protocol stack and driver class, and distinct from T1052.001 (Exfiltration over USB), which covers copying data to USB mass-storage rather than using USB as a network transport. Because RNDIS tethering devices install via Windows' standard Plug and Play driver framework, their arrival is reliably observable in the registry even when process-level or network-flow visibility into the tethered link itself is unavailable (the OS routes traffic over the new adapter, which most EDR network sensors do not separately attribute).
MITRE ATT&CK
- Tactic
- Exfiltration
Sumo Detection Query
_sourceCategory=endpoint/registry
| parse "host=*," as host nodrop
| parse "RegistryKey=*," as registry_key nodrop
| parse "RegistryValueData=*," as registry_value_data nodrop
| where registry_key matches "*{4d36e972-e325-11ce-bfc1-08002be10318}*" or registry_value_data matches "*RNDIS*" or registry_value_data matches "*Android Bootloader Interface*" or registry_value_data matches "*usbrndis6.inf*"
| count as EventCount by host, registry_key, registry_value_data
| sort by EventCount desc Sumo Logic query over endpoint registry-event logs matching the Windows Network adapter class GUID or RNDIS/mobile-tethering vendor strings in registry value data, surfacing USB tethering device installation.
Data Sources
Required Tables
False Positives & Tuning
- IT-approved break-glass internet failover using tethering during an outage
- Developers debugging Android/iOS applications over USB (adb/Xcode)
- Field workers legitimately tethering where policy permits it
Other platforms for THREAT-USBTethering-NetworkBypassExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated RNDIS Network Adapter Class Registry Write
Expected signal: Sysmon Event ID 13 (Registry Value Set) / DeviceRegistryEvents: a value write under the test key with data containing 'Remote NDIS', 'Android Bootloader Interface', and 'usbrndis6.inf'.
- Test 2Simulated Traffic Over a Tethered-Subnet IP Range
Expected signal: Sysmon Event ID 3 (Network Connection) / DeviceNetworkEvents: an outbound connection with LocalIP/SourceIp of 192.168.42.100, matching the Android default USB-tethering NAT subnet.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-USBTethering-NetworkBypassExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month