DET0002: Behavioral Detection of Publish/Subscribe Protocol Misuse for C2
This detection strategy matters because publish/subscribe protocols can be used as command-and-control channels that look like legitimate application messa...
Analyst context for executives and security teams
This detection strategy matters because publish/subscribe protocols can be used as command-and-control channels that look like legitimate application messaging. Even though the detection object has no official description or detection logic, its relationship to ATT&CK technique T1071.005 makes the defensive question clear: can the organization distinguish expected MQTT, XMPP, AMQP, or STOMP usage from suspicious command-and-control-like behavior across enterprise systems and network devices?
Executive priority
Prioritize this where pub/sub messaging is used in production, cloud-connected services, operational technology-adjacent environments, or network infrastructure. Leaders should ask whether security teams have visibility into these protocols, whether approved brokers and clients are inventoried, and whether incident responders can quickly decide if unusual pub/sub traffic is business activity or potential command-and-control.
Technical view
For SOC and detection engineering teams, validate coverage around T1071.005, a command-and-control technique affecting macOS, Linux, Windows, and network devices. Focus on behavioral indicators rather than protocol presence alone: unexpected clients, unusual broker destinations, abnormal topic/channel patterns, new external endpoints, uncommon ports or encryption patterns, and process-to-network relationships where endpoint telemetry is available. Because no official detection text is supplied, local baselining is required.
Likely telemetry
- Network flow records for client-to-broker and broker-to-client communication
- Firewall, proxy, and secure web gateway logs showing destinations, ports, volumes, and timing
- DNS logs for broker hostnames and newly observed messaging infrastructure
- TLS metadata where available, such as SNI or certificate context, without relying on payload inspection
- Application or broker logs for MQTT, XMPP, AMQP, or STOMP where the organization operates those services
Detection direction
- Inventory legitimate pub/sub protocols, brokers, clients, service accounts, and expected destinations before alerting on protocol use.
- Tune for deviations from known business messaging patterns, such as new clients, rare external brokers, unusual message timing, or unexpected systems initiating pub/sub sessions.
- Correlate network observations with endpoint process context when possible to reduce false positives from approved applications.
- Treat encrypted or tunneled pub/sub traffic as a visibility challenge; validate that metadata is still sufficient for triage.
- Use the relationship to T1071.005 to map alerts into command-and-control investigation workflows rather than handling them as generic network anomalies.
Mitigation priorities
- Establish an approved-use inventory for pub/sub protocols and brokers.
- Restrict outbound access to only required messaging services and destinations where operationally feasible.
- Require authentication, authorization, and logging for internally managed brokers.
- Review firewall, proxy, and network segmentation policy for unnecessary pub/sub exposure.
- Ensure incident response playbooks include how to validate pub/sub traffic, identify the owning application, and preserve relevant broker, network, and endpoint evidence.
Analyst notes and limits
The ATT&CK object is a detection strategy named Behavioral Detection of Publish/Subscribe Protocol Misuse for C2 and is explicitly related to T1071.005 Publish/Subscribe Protocols under command-and-control. The practical value is in validating whether behavioral monitoring exists around protocols such as MQTT, XMPP, AMQP, and STOMP, not in assuming that any use of these protocols is malicious.
The supplied object has no official description, no official detection text, no tactics, and no platforms of its own. Platform and tactic context comes from the related technique only. This take does not assert active exploitation, attribution, specific tools, or guaranteed detection coverage; local architecture, protocol usage, and telemetry quality determine applicability.
Behavioral Detection of Publish/Subscribe Protocol Misuse for C2
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.005 | Publish/Subscribe Protocols Sub-technique | This object detects Publish/Subscribe Protocols. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b084c21dbb3d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.