Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network

ID: T1011
Sub-techniques:  T1011.001
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Requires Network:  Yes
Contributors: Itzik Kotler, SafeBreach
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020
Provided by LAYER 8

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

Prevent the creation of new network adapters where possible.[1] [2]

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Connection Creation
Network Traffic Content
Network Traffic Flow

Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.

Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

References