Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0880: Detection of Purchase Technical Data

DET0880 is a detection strategy for identifying when an adversary may be purchasing technical data about a victim as part of reconnaissance. The business s...

EnterpriseDET0880Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0880 is a detection strategy for identifying when an adversary may be purchasing technical data about a victim as part of reconnaissance. The business significance is that targeting can begin before any interaction with enterprise systems, using commercial, aggregated, or illicitly sourced technical information. Leaders should treat this as an external exposure and threat-intelligence problem, not only an internal logging problem.

Executive priority

Prioritize this where external attack surface, leaked technical details, third-party data exposure, or high-value targeting materially affect resilience. The key executive question is whether the organization can understand what technical information about it is commercially or illicitly available, how that information could support targeting, and whether security teams can turn that insight into remediation, monitoring, and incident readiness evidence.

Technical view

The supplied ATT&CK object has no official detection text, no specified platforms, and no tactics of its own. Its relationship indicates it detects T1597.002, Purchase Technical Data, under reconnaissance on the PRE platform. SOC, threat intelligence, and external attack surface teams should validate whether they monitor for externally available technical data about the organization, including purchased or aggregated sources where legally and contractually appropriate. Detection should focus on defensive discovery of exposed technical details and correlation with targeting indicators, not assumptions that activity will appear in endpoint, network, or cloud logs.

Likely telemetry

  • External attack surface inventory and scan exposure findings
  • Threat intelligence reporting on data brokers, dark web, cybercrime marketplaces, or paid aggregation sources where available
  • Public and commercial records of domains, IP ranges, certificates, exposed services, technologies, and leaked configuration details
  • Internal asset inventory used to verify whether externally available technical data is accurate and actionable
  • Case management or intelligence workflow records showing review, triage, and remediation of externally sourced technical findings

Detection direction

  • Validate whether the organization has a repeatable process to identify technical information about itself available from external sources.
  • Correlate externally observed technical data with internal asset ownership and vulnerability context to separate stale data from actionable exposure.
  • Treat this as reconnaissance-stage detection; absence of internal alerts does not mean absence of adversary interest.
  • Tune processes to avoid overreacting to generic public information while escalating data that reveals exploitable services, vulnerable technologies, sensitive architecture, or high-value targets.
  • Use the relationship to T1597.002 as context for threat intelligence and attack surface management rather than claiming endpoint or network detection coverage.

Mitigation priorities

  • Maintain an accurate external asset inventory so purchased or aggregated technical data can be validated quickly.
  • Reduce unnecessary public exposure of technical details, services, and configuration information where business need does not justify it.
  • Integrate external exposure findings with vulnerability management and incident response prioritization.
  • Establish governance for lawful monitoring of commercial and open sources that may contain organizational technical data.
  • Document review and remediation actions as compliance and risk-management evidence where external exposure management is in scope.
Analyst notes and limits

This object is useful primarily as a planning and validation prompt for reconnaissance detection. Because the official detection strategy has no description or detection guidance, the strongest defensible use is to map it to external exposure monitoring, threat intelligence workflows, and validation against internal asset and vulnerability records.

ATT&CK provides no official description, detection logic, platforms, tactics, aliases, or labels for DET0880. The only behavioral context supplied is its relationship to T1597.002, Purchase Technical Data. Local data sources, legal constraints, intelligence subscriptions, and asset-management maturity will determine practical coverage.

Official MITRE ATT&CK definition

Detection of Purchase Technical Data

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1597.002 Purchase Technical Data Sub-technique This object detects Purchase Technical Data.
Relationship explorer

All related ATT&CK context

detects · Technique T1597.002: Purchase Technical Data Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f69d2b3a2c12b58d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f69d2b3a2c12…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0880
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use