Esc
Publish/Subscribe Protocols - T1071.005
(ATT&CK® Technique)
Definition
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1071005["Publish/Subscribe Protocols"] --> |may-transfer| CertificateFile["Certificate File"]; class T1071005 OffensiveTechniqueNode;
class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile";
click T1071005 href "/offensive-technique/attack/T1071.005/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; T1071005["Publish/Subscribe Protocols"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1071005 OffensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
click T1071005 href "/offensive-technique/attack/T1071.005/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";FileEviction["File Eviction"] -->
| deletes | CertificateFile["Certificate File"];
FileEviction["File Eviction"] -.->
| may-evict | T1071005["Publish/Subscribe Protocols"] ;
class FileEviction DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | CertificateFile["Certificate File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1071005["Publish/Subscribe Protocols"] ;
class FileEncryption DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1071005["Publish/Subscribe Protocols"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CertificateFile["Certificate File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1071005["Publish/Subscribe Protocols"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | CertificateFile["Certificate File"];
RestoreFile["Restore File"] -.->
| may-restore | T1071005["Publish/Subscribe Protocols"] ;
class RestoreFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class FileAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CertificateFile["Certificate File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1071005["Publish/Subscribe Protocols"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1071005["Publish/Subscribe Protocols"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; DecoyFile["Decoy File"] -->
| spoofs | CertificateFile["Certificate File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1071005["Publish/Subscribe Protocols"] ;
class DecoyFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; CertificateAnalysis["Certificate Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
CertificateAnalysis["Certificate Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class CertificateAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CertificateFile["Certificate File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1071005["Publish/Subscribe Protocols"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";