Detect Publish/Subscribe Protocols in Google Chronicle
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker. Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics. An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.005 Publish/Subscribe Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/005/
YARA-L Detection Query
rule t1071_005_pubsub_protocol_external_c2 {
meta:
author = "Detection Engineering"
description = "Detects repeated outbound connections to pub/sub protocol ports (MQTT, XMPP, AMQP, STOMP) targeting non-RFC-1918 addresses. High suspicion for XMPP/STOMP and non-broker MQTT; medium for AMQP."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1071.005"
severity = "HIGH"
priority = "HIGH"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.network.direction = "OUTBOUND"
$net.target.port in (
1883, 8883,
5222, 5223, 5269,
5672, 5671,
61613, 61614
)
// Exclude RFC-1918 and loopback destinations
not re.regex(
$net.target.ip,
`^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`
)
// Exclude known-legitimate MQTT clients
not (
$net.target.port in (1883, 8883) and
re.regex($net.principal.process.file.full_path, `(?i)(mosquitto_pub|mosquitto_sub|mosquitto)(\.exe)?$`)
)
$net.principal.hostname = $host
match:
$host over 1h
outcome:
$connection_count = count_distinct($net.target.ip)
$protocols_seen = array_distinct(
if($net.target.port = 1883 or $net.target.port = 8883, "MQTT",
if($net.target.port = 5222 or $net.target.port = 5223 or $net.target.port = 5269, "XMPP",
if($net.target.port = 5672 or $net.target.port = 5671, "AMQP",
if($net.target.port = 61613 or $net.target.port = 61614, "STOMP", "Unknown"))))
)
$initiating_process = array_distinct($net.principal.process.file.full_path)
$target_ips = array_distinct($net.target.ip)
condition:
#net > 1
}Chronicle YARA-L 2.0 rule that correlates multiple outbound network connection events per host within a 1-hour window to pub/sub protocol ports on non-private IP destinations. The match block groups by hostname; the condition threshold (#net > 1) filters out single-event noise matching the reference queries. Outcome fields surface the protocol type, initiating process, and distinct target IPs for triage context.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IoT fleet management agents installed on endpoints (Balena, Fleet.io, AWS IoT Greengrass Edge) that maintain persistent MQTT sessions to cloud brokers — these will fire repeatedly and should be whitelisted by process path or target IP
- Corporate unified communications clients making persistent XMPP connections to Google Chat, Cisco WebEx, or on-premises Openfire servers — high connection-count sessions will match the #net > 1 threshold
- Containers or VM agents on developer workstations running local-to-remote AMQP tests against CloudAMQP trial instances or public RabbitMQ test brokers during application development cycles
Other platforms for T1071.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MQTT C2 Publish Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_pub to 127.0.0.1:1883. Process creation event for mosquitto_pub with topic name 'c2/beacon' and system data in the message payload.
- Test 2XMPP C2 Connection Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from nc to 127.0.0.1:5222. Process creation event for nc with XMPP XML stanza in piped input.
- Test 3MQTT Subscribe for Commands Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_sub to 127.0.0.1:1883. Long-lived connection (up to 10 seconds) as the client waits for messages on the 'c2/commands/#' wildcard topic.
References (6)
- https://attack.mitre.org/techniques/T1071/005/
- https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
- https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.005/T1071.005.md
- https://mqtt.org/
- https://xmpp.org/
Unlock Pro Content
Get the full detection package for T1071.005 including response playbook, investigation guide, and atomic red team tests.