Skip to content

T1071.005 Publish/Subscribe Protocols

Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker.12 Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.1 An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.

Item Value
ID T1071.005
Sub-techniques T1071.001, T1071.002, T1071.003, T1071.004, T1071.005
Tactics TA0011
Platforms Linux, Network Devices, Windows, macOS
Version 1.1
Created 28 August 2024
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S0026 GLOOXMAIL GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol for C2.2

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic Consider filtering publish/subscribe protocol requests to untrusted or known bad resources over irregular ports (e.g. MQTT’s standard ports are 1883 or 8883).
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

References

  1. Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November 21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved August 28, 2024. 

  2. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.