1. Home
  2. ATT&CK Techniques
  3. T1011
Exfiltration

T1011: Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may...

T1011 · Technique ·3 platforms

Description

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Platforms

LinuxmacOSWindows

Sub-Techniques (1)

T1011.001

Exfiltration Over Bluetooth

Mitigations (2)

Disable or Remove Feature or ProgramM1042

Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment.

Operating System ConfigurationM1028

Prevent the creation of new network adapters where possible.(Citation: Microsoft GPO Bluetooth FEB 2009)(Citation: TechRepublic Wireless GPO FEB 2009)

Frequently Asked Questions

What is T1011 (Exfiltration Over Other Network Medium)?

T1011 is a MITRE ATT&CK technique named 'Exfiltration Over Other Network Medium'. It belongs to the Exfiltration tactic(s). Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may...

How can T1011 be detected?

Detection of T1011 (Exfiltration Over Other Network Medium) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1011?

There are 2 documented mitigations for T1011. Key mitigations include: Disable or Remove Feature or Program, Operating System Configuration.

Which threat groups use T1011?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.