Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0166: Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)

This detection strategy object is a sparse ATT&CK entry for detecting abuse of Transport Agents associated with T1505.002. The business significance is tha...

EnterpriseDET0166Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy object is a sparse ATT&CK entry for detecting abuse of Transport Agents associated with T1505.002. The business significance is that transport agents sit in the email transport path and, when abused, can support persistence on systems that process mail. For leaders, the practical question is not whether this ATT&CK object provides ready-made detection logic—it does not—but whether Exchange/mail transport administration, change control, and SOC telemetry are strong enough to identify unauthorized or suspicious transport-agent changes.

Executive priority

Prioritize this as an email-infrastructure persistence risk. Mail systems are business-critical, highly privileged, and often central to incident response communications and compliance evidence. Security leaders should ask who can install or modify transport agents, whether those actions are logged and reviewed, and whether IR teams can quickly distinguish approved mail-processing components from unauthorized persistence mechanisms.

Technical view

The supplied ATT&CK relationship says this detection strategy detects T1505.002 Transport Agent, a persistence technique associated with Windows and Linux in the related object, with the description focused on Microsoft Exchange transport agents. Because the official detection text is not provided, SOC and detection engineering teams should validate environmental coverage rather than copy a MITRE analytic. Focus on administrative actions and configuration/state changes involving transport agents, especially new, modified, enabled, disabled, or unexpectedly loaded agents in mail transport infrastructure.

Likely telemetry

  • Mail server administrative audit logs for transport-agent creation, modification, enablement, disablement, or removal
  • Exchange or mail transport configuration state showing installed transport agents and their properties
  • Operating system process, service, file, and module/library load evidence on mail servers where available
  • Change-management records for approved mail transport components
  • Administrator authentication and authorization logs for accounts capable of managing mail transport configuration

Detection direction

  • Build or validate baselines of approved transport agents and alert on additions or changes outside expected maintenance windows.
  • Correlate transport-agent changes with administrator identity, source host, ticket/change record, and recent authentication activity.
  • Tune carefully for legitimate mail security, journaling, signature, filtering, and compliance agents, which can otherwise create false positives.
  • Prioritize high-confidence review when a transport-agent change occurs on a business-critical mail server, uses an unusual administrator account, or lacks a corresponding approved change.
  • Account for the main blind spot in this ATT&CK object: no official detection logic or data source list is supplied, so local logging configuration determines whether meaningful detection is possible.

Mitigation priorities

  • Restrict transport-agent management to a small set of authorized administrators and enforce strong administrative access controls.
  • Maintain an approved inventory of transport agents and review it during mail-platform changes and incident response.
  • Require change control for installation, update, enablement, or removal of mail transport components.
  • Ensure mail servers generate and retain administrative and configuration-change logs sufficient for investigation and audit evidence.
  • Include transport-agent review in incident response playbooks for suspected email-platform persistence.
Analyst notes and limits

This take is based on DET0166 and its relationship to ATT&CK technique T1505.002 Transport Agent. The object itself has no official description, detection text, tactics, or platforms; the persistence tactic and Windows/Linux platform context come from the related technique. Defensive recommendations are therefore framed as validation and governance priorities, not as MITRE-provided analytics.

The supplied detection strategy is sparse and does not include detection pseudocode, data components, analytic examples, mitigations, or procedure examples. Local mail architecture, logging configuration, administrative model, and approved transport-agent inventory are required to determine actual coverage and risk.

Official MITRE ATT&CK definition

Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1505.002 Transport Agent Sub-technique This object detects Transport Agent.
Relationship explorer

All related ATT&CK context

detects · Technique T1505.002: Transport Agent Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ca66907a65b9320f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ca66907a65b9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0166
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use