Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as <code>MQTT</code>, <code>XMPP</code>, <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design, with message distribution managed by a centralized broker.(Citation: wailing crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against Publish/Subscribe Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against Publish/Subscribe Protocols through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SC-31 | Covert Channel Analysis | mitigates | T1071.005 | Publish/Subscribe Protocols | |
| SI-04 | System Monitoring | mitigates | T1071.005 | Publish/Subscribe Protocols | |
| AC-04 | Information Flow Enforcement | mitigates | T1071.005 | Publish/Subscribe Protocols | |
| SC-07 | Boundary Protection | mitigates | T1071.005 | Publish/Subscribe Protocols |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1071.005 | Publish/Subscribe Protocols | |
| action.malware.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1071.005 | Publish/Subscribe Protocols |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_azure_network_layer | Alerts for Azure Network Layer | technique_scores | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can identify connections to known malicious sites.
References
|
| azure_firewall | Azure Firewall | technique_scores | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can filter network traffic on ports associated with this technique.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can detect anomalous application protocol traffic related to this technique.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1071.005 | Publish/Subscribe Protocols |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.
References
|