title: Exfiltration Over Bluetooth (T1011.001)
id: df00tech-t1011-001
status: experimental
description: "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. Real-world examples include the Flame malware's BeetleJuice module, which transmitted encoded data over Bluetooth and acted as a Bluetooth beacon to identify nearby Bluetooth-enabled devices."
references:
  - https://attack.mitre.org/techniques/T1011/001/
  - https://df00tech.com/detections/T1011.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1011.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators using Bluetooth utilities for device pairing, diagnostics, or inventory on managed endpoints"
  - Developers building Bluetooth applications testing functionality on their workstations
  - Windows built-in Bluetooth file transfer wizard (fsquirt.exe) used by employees for legitimate personal file transfers between devices
  - "Bluetooth speakers, headsets, or peripherals being managed via system utilities on user workstations"
level: high