DET0845: Detection of Malware
DET0845 is a MITRE detection strategy entry for detecting adversary use or acquisition of malware as a resource-development behavior. Its value is less abo...
Analyst context for executives and security teams
DET0845 is a MITRE detection strategy entry for detecting adversary use or acquisition of malware as a resource-development behavior. Its value is less about a single alert rule and more about whether the organization can connect threat intelligence, malware knowledge, and internal observations early enough to inform preparedness before post-compromise activity occurs.
Executive priority
Treat this as a readiness and prioritization question: do security teams have enough malware intelligence and internal evidence to recognize relevant tooling before it becomes an incident? Because the related ATT&CK technique is pre-compromise resource development, leaders should use this to assess threat intelligence intake, SOC enrichment, incident response playbooks, and evidence for audit/compliance programs that require malware monitoring or response capability.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, but it is related to T1588.001 Malware under Resource Development on the PRE platform. SOC and IR teams should therefore validate how malware-related intelligence is collected, normalized, and tied to detections or investigations. Detection engineering should focus on whether malware names, families, hashes, infrastructure, packers, payload types, droppers, backdoors, post-compromise tools, and C2 protocol indicators from trusted sources can be correlated with internal telemetry when available.
Likely telemetry
- Threat intelligence reports and indicator feeds referencing malware capabilities or families
- Malware repository or sandbox analysis metadata, where available
- Endpoint, email, proxy, DNS, and network security logs that may later show contact with known malware artifacts or infrastructure
- Case management and incident response records linking observed artifacts to malware analysis
- SOC enrichment data used to map malware observations to ATT&CK techniques
Detection direction
- Validate that malware intelligence can be mapped to T1588.001 and used as context, not just stored as raw indicators.
- Tune for indicator quality and recency; malware hashes and infrastructure can age quickly and create false positives or missed coverage if used alone.
- Confirm whether detections distinguish pre-compromise intelligence about adversary resources from internal compromise evidence.
- Check blind spots where malware intelligence is not available to the SOC, is not integrated into alert enrichment, or is not retained with investigation records.
- Use relationship context carefully: this strategy detects a resource-development technique, so it should support early warning and preparedness rather than be treated as proof of intrusion.
Mitigation priorities
- Prioritize a governed malware intelligence process with clear sources, ownership, retention, and confidence handling.
- Integrate malware intelligence into SOC triage, incident response playbooks, and detection engineering workflows.
- Maintain response procedures for validating malware-related alerts, including artifact handling and escalation criteria.
- Review logging coverage across endpoint, email, web, DNS, and network controls so internal sightings can be correlated when relevant.
- Track evidence of malware monitoring and response readiness for compliance and executive risk reporting.
Analyst notes and limits
The official ATT&CK object is sparse: no description, official detection guidance, platforms, or tactics are provided on the detection strategy itself. The main decision value comes from its relationship to T1588.001 Malware, which describes adversaries acquiring malware such as payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols.
This take should not be read as a specific detection rule or proof of coverage. Local telemetry, intelligence sources, malware analysis capability, and SOC processes determine whether DET0845 is actionable in a given environment.
Detection of Malware
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 36743ab3a0c6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0845Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.