DET0874: Detection of Server
DET0874 is a MITRE detection strategy for identifying adversary use of compromised third-party servers as operational infrastructure. The business issue is...
Analyst context for executives and security teams
DET0874 is a MITRE detection strategy for identifying adversary use of compromised third-party servers as operational infrastructure. The business issue is not the server itself, but whether the organization can recognize when infrastructure used for staging, launching, or command-and-control activity is not newly purchased attacker infrastructure but a legitimate server that has been compromised and repurposed.
Executive priority
Prioritize this as a threat-intelligence and SOC readiness question: can teams connect suspicious infrastructure to resource-development behavior before or during an incident? Because the related ATT&CK technique is pre-compromise/resource-development focused, value comes from improving infrastructure risk triage, incident scoping, and evidence for decisions about blocking, monitoring, partner notification, and escalation.
Technical view
The ATT&CK object provides no official detection logic, platforms, or tactics for DET0874. The only supplied context is that it detects T1584.004 Server, where adversaries may compromise third-party servers for staging, launching, executing operations, and possibly command and control. SOC and detection teams should validate whether they can correlate infrastructure indicators with evidence that a server is a compromised third-party host rather than attacker-owned infrastructure, and whether those indicators are connected to observed targeting or C2 patterns.
Likely telemetry
- Threat intelligence reporting on suspicious or compromised infrastructure
- Network security logs showing connections to or from suspect servers
- DNS and passive DNS records associated with suspect infrastructure
- Proxy, firewall, and web gateway logs for access to suspect servers
- Endpoint or server logs if the organization owns, manages, or investigates an affected server
Detection direction
- Treat DET0874 as a strategy placeholder rather than a ready analytic; no official detection procedure is supplied.
- Validate enrichment workflows that distinguish compromised third-party servers from newly registered or purchased infrastructure.
- Tune detections to combine infrastructure reputation, DNS/network observations, and incident context; single indicators may create false positives because legitimate third-party servers can be compromised or later remediated.
- Check whether pre-compromise/resource-development indicators are retained and searchable long enough to support later incident reconstruction.
- Use relationship context to map findings to T1584.004 when suspicious infrastructure appears to be a compromised server used for staging, launch, execution, or command and control.
Mitigation priorities
- Establish intelligence-led triage for suspicious external servers before relying on blocking alone.
- Ensure SOC and IR playbooks include enrichment, ownership assessment, and evidence preservation for suspected compromised third-party infrastructure.
- Coordinate decisions for block, monitor, or escalate based on business dependency, confidence, and incident context.
- Maintain audit-ready records showing how infrastructure indicators were evaluated and linked to ATT&CK behavior when used in incident decisions.
Analyst notes and limits
This take is based on the supplied DET0874 detection-strategy metadata and its relationship to T1584.004 Server. The detection-strategy object itself has no official description, detection text, tactics, or platforms; the related technique supplies the resource-development and PRE context.
Local telemetry requirements and detection quality depend on the organization’s network visibility, threat-intelligence sources, retention, and enrichment processes. The supplied ATT&CK fields do not support claims about active exploitation, specific tooling, attribution, affected vendors, or guaranteed detection coverage.
Detection of Server
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9b9ff570c071… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0874Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.