Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0871: Detection of Server

DET0871 is a MITRE detection strategy for identifying adversary-controlled or adversary-obtained servers associated with ATT&CK technique T1583.004, Server...

EnterpriseDET0871Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Low

DET0871 is a MITRE detection strategy for identifying adversary-controlled or adversary-obtained servers associated with ATT&CK technique T1583.004, Server. Its value is mainly pre-incident: spotting infrastructure that may later support phishing, watering-hole activity, command and control, or other operations before those activities become a confirmed compromise.

Executive priority

Treat this as an infrastructure-awareness and readiness problem, not a guaranteed alerting use case. Leaders should ask whether security teams can identify suspicious external server infrastructure early enough to inform blocking, threat hunting, incident scoping, and risk decisions. Because MITRE provides no official detection logic, platforms, or tactics for this detection strategy, budget and control decisions should be based on locally proven telemetry and response workflows rather than assumptions of coverage.

Technical view

This detection strategy maps to T1583.004 Server under resource development, with the related platform listed as PRE. SOC and threat intelligence teams should validate how they identify, enrich, and act on servers that may be staged for adversary operations. Detection engineering should avoid treating this as a single log-source rule; instead, assess correlation across external infrastructure intelligence and internal observations of interactions with servers later associated with phishing, drive-by compromise, watering-hole activity, or command-and-control enablement.

Likely telemetry

  • External infrastructure intelligence and enrichment on servers, hosting, ownership, and reputation where available
  • Network security logs showing connections to externally hosted servers
  • DNS resolution and passive DNS-style evidence where available
  • Web proxy or secure web gateway logs for browsing to externally hosted infrastructure
  • Email security telemetry when server infrastructure is used to support phishing-related delivery or landing pages

Detection direction

  • First confirm what the organization actually collects and retains, because the ATT&CK object provides no official detection text or platform guidance.
  • Correlate infrastructure observations with related activity context from T1583.004, especially servers used to stage, launch, or support operations such as phishing, drive-by compromise, watering-hole activity, or command and control.
  • Tune for context rather than raw server presence; legitimate leased or hosted servers are common, so enrichment, timing, reputation, observed contact patterns, and relationship to known investigations are important to reduce false positives.
  • Document blind spots where pre-compromise infrastructure is outside enterprise visibility, especially when no internal system has yet interacted with the server.
  • Use detections as leads for threat hunting and investigation triage, not as standalone proof of compromise.

Mitigation priorities

  • Prioritize visibility and retention for network, DNS, web, and email evidence that can show interactions with suspicious server infrastructure.
  • Establish a threat-intelligence enrichment process for externally hosted servers observed in investigations or detections.
  • Define response playbooks for triaging suspected adversary infrastructure, including containment decisions, blocking criteria, and escalation to incident response.
  • Maintain audit-ready evidence showing what telemetry is collected, how infrastructure intelligence is evaluated, and how blocking or monitoring decisions are approved.
  • Review gaps periodically because this detection strategy has no MITRE-provided detection implementation details.
Analyst notes and limits

The supplied ATT&CK object is sparse: it has a name, external reference, and relationship to T1583.004 Server, but no official description, detection text, tactics, or platforms. The most defensible interpretation is that DET0871 supports detection strategy planning around adversary server infrastructure used during resource development and later operational support.

This take does not assert active exploitation, actor attribution, guaranteed detection, or specific technology coverage. Local telemetry, intelligence sources, retention, and response procedures are required to determine whether DET0871 is actionable in a given environment.

Official MITRE ATT&CK definition

Detection of Server

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583.004 Server Sub-technique This object detects Server.
Relationship explorer

All related ATT&CK context

detects · Technique T1583.004: Server Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1e394d8cfadd77c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1e394d8cfadd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0871
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use