T1071.005 Sumo Logic CSE · Sumo

Detect Publish/Subscribe Protocols in Sumo Logic CSE

Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker. Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics. An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.005 Publish/Subscribe Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=network OR _sourceCategory=firewall OR _sourceCategory=pan OR _sourceCategory=cisco/asa)
| where dest_port in (1883, 8883, 5222, 5223, 5269, 5672, 5671, 61613, 61614)
| where action = "allowed" or action = "permit" or isnull(action)
| eval Protocol = if(dest_port = 1883 or dest_port = 8883, "MQTT",
    if(dest_port = 5222 or dest_port = 5223 or dest_port = 5269, "XMPP",
    if(dest_port = 5672 or dest_port = 5671, "AMQP",
    if(dest_port = 61613 or dest_port = 61614, "STOMP", "Unknown"))))
| eval IsExternal = if(
    !starts_with(dest_ip, "10.") and
    !starts_with(dest_ip, "192.168.") and
    !starts_with(dest_ip, "127.") and
    !matches(dest_ip, "172\.(1[6-9]|2[0-9]|3[01])\\..*"),
    "yes", "no")
| where IsExternal = "yes"
| count as ConnectionCount, sum(bytes_out) as BytesSent, sum(bytes_in) as BytesReceived,
    min(_messageTime) as FirstSeen, max(_messageTime) as LastSeen
    by src_ip, dest_ip, dest_port, Protocol, IsExternal, process_name
| where ConnectionCount > 1
| eval Suspicion = if((Protocol = "XMPP" or Protocol = "STOMP"), "high",
    if(Protocol = "MQTT" and !matches(process_name, "(?i)mosquitto.*"), "high",
    if(Protocol = "AMQP", "medium", "low")))
| where Suspicion in ("high", "medium")
| fields LastSeen, FirstSeen, src_ip, dest_ip, Protocol, dest_port, process_name,
    ConnectionCount, BytesSent, BytesReceived, Suspicion
| sort by Suspicion, -ConnectionCount
high severity medium confidence

Sumo Logic query detecting outbound connections to pub/sub protocol ports from external-facing network and firewall log sources. Applies the same suspicion-scoring logic as the reference SPL: XMPP and STOMP to external destinations are high-confidence, MQTT from non-mosquitto processes is high, AMQP externally is medium. Requires network logs to include dest_port, dest_ip, src_ip, and optionally process_name fields normalized at ingest.

Data Sources

Palo Alto Networks firewall logs (_sourceCategory=network/paloalto or pan)Cisco ASA/FTD logs (_sourceCategory=cisco/asa)Generic firewall or flow logs with normalized dest_port, src_ip, dest_ip fieldsSumo Logic Cloud SIEM (CSE) network schema records

Required Tables

Network/firewall log sources with dest_port, src_ip, dest_ip, bytes_out, bytes_in fields

False Positives & Tuning

  • Cloud-connected building management or SCADA systems sending MQTT telemetry (sensor readings, alarms) to external IoT platforms such as AWS IoT Core, Azure IoT Hub, or HiveMQ Cloud
  • Customer service or sales platforms that use XMPP under the hood (some legacy Salesforce integrations, LiveChat products) will appear as repeated port-5222 connections from application servers
  • Development and CI/CD pipelines running integration tests against external RabbitMQ or ActiveMQ instances — engineers' workstations or build agents will show AMQP connections to cloud broker endpoints
Download portable Sigma rule (.yml)

Other platforms for T1071.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MQTT C2 Publish Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_pub to 127.0.0.1:1883. Process creation event for mosquitto_pub with topic name 'c2/beacon' and system data in the message payload.

  2. Test 2XMPP C2 Connection Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from nc to 127.0.0.1:5222. Process creation event for nc with XMPP XML stanza in piped input.

  3. Test 3MQTT Subscribe for Commands Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from mosquitto_sub to 127.0.0.1:1883. Long-lived connection (up to 10 seconds) as the client waits for messages on the 'c2/commands/#' wildcard topic.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1071.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.001Web ProtocolsT1071.002File Transfer ProtocolsT1071.003Mail ProtocolsT1071.004DNS

Related Techniques

T1071Application Layer ProtocolT1102Web ServiceT1573Encrypted ChannelT1132Data EncodingT1572Protocol TunnelingT1090Proxy

Same Tactic: Command and Control

Popular Detections