AN0003: Analytic 0003
Detects CLI tools (e.g., mosquitto_pub, nc, python scripts) interacting with pub/sub brokers using unusual topic names, high-frequency publication rates, or obfuscated payloads to non-standard hosts.
Analyst context for executives and security teams
AN0003 is a Linux-focused detection analytic for spotting command-line tools or scripts interacting with publish/subscribe brokers in suspicious ways, such as unusual topic names, rapid publication rates, obfuscated payloads, or connections to non-standard hosts. Its business value is in validating whether SOC teams can see broker abuse that may bypass normal application monitoring by blending into messaging workflows.
Executive priority
Prioritize this where Linux systems, automation scripts, IoT/OT-adjacent services, or application platforms use pub/sub messaging. Leaders should ask whether broker activity is monitored as security-relevant evidence, not only as application telemetry. This analytic can support resilience and audit discussions by showing whether teams can distinguish expected messaging behavior from anomalous CLI-driven publication patterns.
Technical view
For SOC, detection engineering, and IR teams, validate visibility across Linux process execution, command-line arguments, script interpreter activity, outbound network connections, and broker-side logs. The analytic is centered on CLI tools such as mosquitto_pub, nc, and Python scripts interacting with pub/sub brokers using unusual topics, high publication frequency, obfuscated payloads, or non-standard destinations. Because no official detection logic or ATT&CK tactic mapping is supplied, teams should build environment-specific baselines for approved broker hosts, normal topic naming patterns, expected publish rates, and sanctioned automation accounts or scripts.
Likely telemetry
- Linux process creation and command-line telemetry
- Shell history or audit records where available
- Python/script interpreter execution telemetry
- Outbound network connection logs from Linux hosts
- DNS and destination host resolution logs
Detection direction
- Baseline legitimate pub/sub clients, broker hosts, topic naming conventions, and normal publication rates before alerting on anomalies.
- Correlate CLI execution with network connections to broker services and broker-side publish events.
- Tune for administrative scripts, test clients, monitoring jobs, and CI/CD automation that may legitimately use CLI publication tools.
- Look for mismatches such as interactive shell use from servers that normally publish through applications, publication to unfamiliar hosts, or unusual topic strings compared with local naming standards.
- Treat obfuscated payload indicators carefully; validate what metadata is available and avoid relying on payload inspection if privacy, encryption, or logging limits apply.
Mitigation priorities
- Inventory approved pub/sub brokers, clients, service accounts, scripts, and expected Linux publishers.
- Restrict broker access to authorized hosts and identities using existing network and identity controls.
- Apply least privilege to broker topics and publishing permissions where supported by the messaging platform.
- Centralize broker and Linux endpoint logs needed to correlate process execution with publish activity.
- Create operational baselines for topic names, destination hosts, and publish frequency, then review deviations through SOC workflows.
Analyst notes and limits
This object is a detection analytic, not a technique. The supplied ATT&CK fields specify Linux as the platform and describe suspicious CLI interaction with pub/sub brokers, but provide no tactic, detection logic, relationships, aliases, or labels. The most useful implementation work is local: identify what brokers exist, what normal publishing looks like, and whether endpoint and broker telemetry can be joined.
Official detection content is not provided, and no relationships are supplied. The summary should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage. Applicability depends on whether the environment uses pub/sub brokers and whether Linux endpoint and broker telemetry are collected with enough detail.
Analytic 0003
Detects CLI tools (e.g., mosquitto_pub, nc, python scripts) interacting with pub/sub brokers using unusual topic names, high-frequency publication rates, or obfuscated payloads to non-standard hosts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0e417a9cda2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.