| ID | Name |
|---|---|
| T1071.001 | Web Protocols |
| T1071.002 | File Transfer Protocols |
| T1071.003 | Mail Protocols |
| T1071.004 | DNS |
| T1071.005 | Publish/Subscribe Protocols |
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker.[1][2] Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.[1] An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.
| ID | Name | Description |
|---|---|---|
| S0026 | GLOOXMAIL |
GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol for C2.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Consider filtering publish/subscribe protocol requests to untrusted or known bad resources over irregular ports (e.g. MQTT’s standard ports are 1883 or 8883). |
| M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0002 | Behavioral Detection of Publish/Subscribe Protocol Misuse for C2 | AN0002 |
Detects non-standard processes (e.g., PowerShell, python.exe, rundll32.exe) making outbound connections using publish/subscribe protocols (e.g., MQTT, AMQP) over non-browser, encrypted channels, often beaconing to message brokers. |
| AN0003 |
Detects CLI tools (e.g., mosquitto_pub, nc, python scripts) interacting with pub/sub brokers using unusual topic names, high-frequency publication rates, or obfuscated payloads to non-standard hosts. |
||
| AN0004 |
Detects osascript, curl, or custom binaries interacting with XMPP/MQTT brokers in unapproved destinations with encrypted payloads or frequent POST-like requests to broker URIs. |
||
| AN0005 |
Detects pub/sub traffic over unusual ports, high-frequency topic publications, and connections to known-bad or dynamic broker endpoints outside allowlisted infrastructure. |