Which SIEM platforms have a T1071.005 detection rule?

df00tech provides T1071.005 (Publish/Subscribe Protocols) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Publish/Subscribe Protocols (T1071.005)?

Detecting Publish/Subscribe Protocols requires the following data sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Microsoft Defender for Endpoint.

What severity and confidence is the T1071.005 detection?

The T1071.005 detection is rated high severity with medium confidence.

What are common false positives for T1071.005?

Common false positives for T1071.005 include: IoT platforms and home automation systems that legitimately use MQTT for device communication (Home Assistant, AWS IoT Core); Chat and messaging applications using XMPP (Pidgin, Conversations, Cisco Jabber); Message queue infrastructure (RabbitMQ, ActiveMQ, Apache Kafka) used for application integration.

T1071.005 IBM QRadar · QRadar

Detect Publish/Subscribe Protocols in IBM QRadar

Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker. Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics. An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1071 Application Layer Protocol
Sub-technique: T1071.005 Publish/Subscribe Protocols
Canonical reference: https://attack.mitre.org/techniques/T1071/005/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(MIN(starttime)/1000, 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime)/1000, 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SrcIP,
  destinationip AS DstIP,
  destinationport AS DstPort,
  CASE
    WHEN destinationport IN (1883, 8883)             THEN 'MQTT'
    WHEN destinationport IN (5222, 5223, 5269)       THEN 'XMPP'
    WHEN destinationport IN (5672, 5671)             THEN 'AMQP'
    WHEN destinationport IN (61613, 61614)           THEN 'STOMP'
    ELSE 'Unknown'
  END AS Protocol,
  username,
  COUNT(*) AS ConnectionCount,
  SUM(sourcebytes)      AS BytesSent,
  SUM(destinationbytes) AS BytesReceived,
  CASE
    WHEN destinationport IN (5222, 5223, 5269, 61613, 61614) THEN 'high'
    WHEN destinationport IN (1883, 8883)                     THEN 'high'
    WHEN destinationport IN (5672, 5671)                     THEN 'medium'
    ELSE 'low'
  END AS Suspicion
FROM flows
WHERE starttime > NOW() - 86400000
  AND destinationport IN (1883, 8883, 5222, 5223, 5269, 5672, 5671, 61613, 61614)
  AND NOT (
        destinationip ILIKE '10.%'
     OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%'
     OR destinationip ILIKE '172.18.%' OR destinationip ILIKE '172.19.%'
     OR destinationip ILIKE '172.20.%' OR destinationip ILIKE '172.21.%'
     OR destinationip ILIKE '172.22.%' OR destinationip ILIKE '172.23.%'
     OR destinationip ILIKE '172.24.%' OR destinationip ILIKE '172.25.%'
     OR destinationip ILIKE '172.26.%' OR destinationip ILIKE '172.27.%'
     OR destinationip ILIKE '172.28.%' OR destinationip ILIKE '172.29.%'
     OR destinationip ILIKE '172.30.%' OR destinationip ILIKE '172.31.%'
     OR destinationip ILIKE '192.168.%'
     OR destinationip ILIKE '127.%'
  )
GROUP BY
  sourceip, destinationip, destinationport, Protocol, username, Suspicion
HAVING ConnectionCount > 1
   AND Suspicion IN ('high', 'medium')
ORDER BY Suspicion ASC, ConnectionCount DESC

high severity medium confidence

QRadar AQL flow query detecting repeated outbound connections to pub/sub protocol ports (MQTT, XMPP, AMQP, STOMP) reaching external addresses over the past 24 hours. Groups by source, destination, and port to surface repeated sessions. Note: QRadar flow records do not carry process-name context; correlate flagged source IPs with endpoint log sources (Sysmon event 3, Windows Security 5156) for process attribution.

Data Sources

QRadar Network Activity (flows) — requires flow collector with Layer 4 visibilityFirewall or network tap log sources forwarding to QRadarQRadar Network Insights (QNI) for deep packet metadata

Required Tables

flows

False Positives & Tuning

Industrial control systems or OT networks with MQTT-based telemetry pipelines (Ignition, Kepware, AWS IoT Greengrass) regularly making outbound MQTT connections to cloud brokers
SaaS-connected business applications using AMQP-over-TLS (port 5671) for event streaming to Azure Service Bus, CloudAMQP, or Amazon MQ — source IPs will be application servers, not user endpoints
Remote workforce using XMPP-based softphones or video conferencing clients (Cisco Jabber, Openfire-backed tools) that open persistent sessions to external Jabber servers on port 5222

Download portable Sigma rule (.yml)

Other platforms for T1071.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1MQTT C2 Publish Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_pub to 127.0.0.1:1883. Process creation event for mosquitto_pub with topic name 'c2/beacon' and system data in the message payload.
Test 2XMPP C2 Connection Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from nc to 127.0.0.1:5222. Process creation event for nc with XMPP XML stanza in piped input.
Test 3MQTT Subscribe for Commands Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_sub to 127.0.0.1:1883. Long-lived connection (up to 10 seconds) as the client waits for messages on the 'c2/commands/#' wildcard topic.

Last updated: 2026-04-13 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1071.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Publish/Subscribe Protocols in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1071.005

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1071.005

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox