Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0850: Detection of Obtain Capabilities

DET0850 is a detection strategy for ATT&CK technique T1588, Obtain Capabilities: adversaries acquiring malware, exploits, certificates, software, licenses,...

EnterpriseDET0850Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0850 is a detection strategy for ATT&CK technique T1588, Obtain Capabilities: adversaries acquiring malware, exploits, certificates, software, licenses, or vulnerability information to support later operations. Its business value is early warning. If an organization can recognize capability acquisition signals that relate to its sector, brands, infrastructure, suppliers, or exposed technologies, it may gain time to harden systems, brief incident responders, and prioritize vulnerability or identity controls before intrusion activity reaches the enterprise environment.

Executive priority

Treat this as a pre-incident intelligence and readiness question rather than a conventional endpoint alert. Leaders should ask whether threat intelligence, vulnerability management, SOC, incident response, and third-party risk processes are connected well enough to turn capability-acquisition indicators into decisions: what gets patched first, what monitoring is increased, what brands or certificates are watched, and what response playbooks are prepared. Because the ATT&CK object has no official detection text or platform scope, it should not be used as evidence of existing coverage by itself; it is a prompt to validate whether the organization can operationalize resource-development intelligence.

Technical view

The related ATT&CK technique is T1588, Obtain Capabilities, in the resource-development tactic on the PRE platform. SOC and detection engineering teams should frame DET0850 around intelligence-led monitoring and correlation, not only internal host or network telemetry. Validate whether teams can ingest and assess evidence of adversaries obtaining malware, software, exploits, certificates, or vulnerability information, then connect that context to internal exposure: affected technologies, externally facing assets, certificate usage, identity dependencies, and IR watchlists. Since MITRE provides no official detection logic for this detection strategy, local analytic design, source reliability, and escalation criteria must be defined by the defender.

Likely telemetry

  • Threat intelligence reporting about malware, exploits, certificates, software, licenses, and vulnerability information associated with adversary resource development
  • Vulnerability intelligence and exposure data mapped to the organization’s products, internet-facing assets, and business-critical systems
  • Certificate inventory and certificate transparency or certificate-monitoring evidence where relevant to suspicious or impersonating certificates
  • Asset inventory and software inventory needed to determine whether obtained capabilities are relevant to the environment
  • SOC case management and IR records showing whether pre-incident intelligence was reviewed, triaged, and converted into watchlists or control changes

Detection direction

  • Validate that intelligence about obtained capabilities is triaged against the organization’s actual exposure rather than handled as generic news.
  • Define correlation criteria between capability-acquisition reporting and internal asset, vulnerability, certificate, and software inventories.
  • Tune for decision quality: reduce false urgency from unverified or non-relevant intelligence, but avoid dismissing capability acquisition that maps to business-critical technologies or exposed services.
  • Create escalation paths from threat intelligence to SOC monitoring, vulnerability prioritization, incident response readiness, and executive risk communication.
  • Document blind spots caused by missing external intelligence sources, incomplete asset inventory, weak certificate visibility, or lack of linkage between vulnerability management and SOC workflows.

Mitigation priorities

  • Start with inventory quality: confirm the organization can identify affected technologies, exposed assets, software dependencies, and certificate usage.
  • Connect threat intelligence to vulnerability management so capability-acquisition reporting can influence patching and compensating-control priority.
  • Prepare SOC and IR watchlists for relevant malware, exploit, certificate, or vulnerability themes when intelligence is credible and applicable.
  • Use control validation exercises to confirm that intelligence-led changes actually reach monitoring, alert triage, and incident decision processes.
  • Maintain audit-ready evidence showing how pre-incident intelligence is received, assessed, assigned, and acted on.
Analyst notes and limits

This take is based on the supplied detection strategy object DET0850 and its relationship to T1588 Obtain Capabilities. The ATT&CK object does not include an official description, official detection guidance, tactics, or platforms for the detection strategy itself. The practical interpretation therefore relies on the related technique’s ATT&CK description and its resource-development/PRE context.

No active exploitation, attribution, vendor coverage, or guaranteed detection can be inferred from the supplied fields. Local value depends on available threat intelligence, asset and vulnerability data quality, certificate visibility, and the organization’s ability to operationalize pre-compromise indicators.

Official MITRE ATT&CK definition

Detection of Obtain Capabilities

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1588 Obtain Capabilities This object detects Obtain Capabilities.
Relationship explorer

All related ATT&CK context

detects · Technique T1588: Obtain Capabilities Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
84d290590d57a513...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 84d290590d57…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0850
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use