DET0859: Detection of Network Devices

DET0859 is a MITRE detection strategy placeholder for identifying adversary preparation involving compromised third-party network devices, related to ATT&C...

EnterpriseDET0859Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0859 is a MITRE detection strategy placeholder for identifying adversary preparation involving compromised third-party network devices, related to ATT&CK technique T1584.008. The business significance is that this activity sits before direct intrusion: adversaries may use devices such as SOHO routers as infrastructure to support later targeting. For leaders, the key value is not assuming this will appear in endpoint telemetry; coverage depends on threat intelligence, network visibility, infrastructure reputation, and incident-response processes that can connect suspicious external infrastructure to campaigns or targeting risk.

Executive priority

Prioritize this as an exposure and readiness question rather than a traditional host-control question. Security leaders should ask whether the organization can recognize when suspicious network-device infrastructure is being used against it, whether SOC and IR teams have enough external network, DNS, proxy, firewall, and threat-intelligence context to make decisions, and whether third-party or unmanaged network devices create blind spots in investigations. This is relevant to resilience because adversary-controlled infrastructure can support later operations even when the compromised device is outside the organization’s ownership.

Technical view

The supplied ATT&CK object provides no official detection logic, platforms, or tactic mapping for the detection strategy itself. The only concrete relationship is that DET0859 detects T1584.008, Network Devices, a PRE-platform resource-development technique involving compromised third-party network devices used to support additional targeting. SOC and detection teams should therefore validate whether they can identify suspicious use of external network-device infrastructure through network security monitoring, perimeter logs, DNS/proxy observations, threat-intelligence enrichment, and incident correlation. Detection should focus on evidence that external infrastructure interacting with the organization is associated with compromised or abused network devices, while avoiding assumptions that endpoint telemetry alone will provide coverage.

Likely telemetry

Firewall and perimeter connection logs showing inbound or outbound interactions with suspicious external infrastructure
Proxy and web gateway logs for requests to or from unusual network-device-associated infrastructure
DNS query and resolver logs for domains or hosts linked through threat-intelligence context
Network flow metadata that can support correlation of external infrastructure behavior over time
Threat-intelligence enrichment or reputation data for IP addresses, domains, and infrastructure assessed as compromised network devices

Detection direction

Confirm what data sources can observe external infrastructure before, during, and after attempted targeting; do not assume host agents will see resource-development activity.
Tune detections around correlation and enrichment rather than single indicators, because the ATT&CK object does not provide specific analytic logic.
Validate whether SOC workflows preserve enough DNS, proxy, firewall, and flow history to investigate infrastructure that may be used only intermittently.
Account for false positives from benign SOHO, ISP, hosting, VPN, or consumer-network infrastructure; require context such as reputation, behavior, recurrence, and relationship to other suspicious activity.
Use the relationship to T1584.008 to frame this as pre-compromise infrastructure detection, not proof of initial access or confirmed impact.

Mitigation priorities

Establish or review threat-intelligence and network-monitoring processes for identifying suspicious external infrastructure associated with compromised network devices.
Ensure perimeter, DNS, proxy, and flow telemetry retention is sufficient for incident reconstruction and compliance evidence.
Define SOC escalation criteria for suspicious infrastructure used in targeting, including when to block, monitor, enrich, or open an incident.
Integrate infrastructure findings into incident-response playbooks so analysts can connect pre-intrusion observations with later alerts.
For owned or managed network devices, maintain standard hardening, patching, credential, and monitoring practices, while recognizing that this ATT&CK relationship also concerns third-party devices outside direct control.

Analyst notes and limits

MITRE provides DET0859 as a detection strategy object with no official description or detection text in the supplied fields. The take is therefore driven by its relationship to T1584.008, Network Devices, under resource development on the PRE platform. Defensive value comes from validating visibility and workflow coverage for suspicious external infrastructure rather than from a specific ATT&CK-provided analytic.

The supplied object does not specify platforms, tactics, official detection logic, data sources, mitigations, procedures, or examples for DET0859. Any local detection must be based on the organization’s telemetry, threat-intelligence sources, acceptable-use context, and incident history. This summary does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Network Devices

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1584.008	Network Devices Sub-technique	This object detects Network Devices.

Relationship explorer

All related ATT&CK context

detects · Technique T1584.008: Network Devices Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: 38d023f43279d52e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`38d023f43279…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0859
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use