Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0885: Detection of Compromise Infrastructure

DET0885 is a detection strategy tied to ATT&CK technique T1584, Compromise Infrastructure. The business value is in recognizing that adversary preparation...

EnterpriseDET0885Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0885 is a detection strategy tied to ATT&CK technique T1584, Compromise Infrastructure. The business value is in recognizing that adversary preparation can involve hijacked or abused third-party infrastructure before the visible intrusion begins. For leaders, this matters because compromised domains, servers, DNS, network devices, or cloud-hosted services can make malicious activity look less suspicious and can complicate incident scoping, blocking decisions, and third-party risk discussions.

Executive priority

Prioritize this as a threat intelligence, SOC readiness, and incident response question: can the organization identify when external infrastructure interacting with the enterprise appears to be compromised or repurposed, even if it is not obviously attacker-owned? This supports faster containment decisions, better evidence for investigations, and more defensible risk conversations with business units that depend on internet-facing, cloud, DNS, and third-party services.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1584 Compromise Infrastructure, which is a resource-development behavior on PRE. SOC and detection teams should therefore treat this as a pre-intrusion or early-warning analytic area rather than an endpoint-only detection. Validate whether threat intelligence, DNS, network, proxy, email, cloud access, and incident case data can correlate suspicious external infrastructure with inbound targeting, command-and-control-like contact patterns, domain/DNS anomalies, or infrastructure reputation changes. Because the related technique includes physical or cloud servers, domains, network devices, and third-party web and DNS services, coverage should be assessed across internet-facing telemetry and enrichment sources, not just internal host logs.

Likely telemetry

  • Threat intelligence indicators and reputation/enrichment data for domains, IP addresses, hosting providers, DNS infrastructure, and web services
  • DNS query and passive DNS-style evidence where available
  • Network connection, proxy, firewall, and secure web gateway logs showing communication with external infrastructure
  • Email security telemetry if external infrastructure is used in targeting or delivery paths
  • Cloud access and service logs where third-party or cloud-hosted infrastructure interacts with enterprise assets

Detection direction

  • Inventory which telemetry sources can show external domains, IPs, DNS services, and cloud-hosted services interacting with the organization.
  • Correlate infrastructure indicators with context rather than relying only on static blocklists; compromised legitimate infrastructure may have mixed benign and malicious use.
  • Tune for changes in infrastructure reputation, DNS resolution, hosting patterns, unusual contact timing, and repeated interaction with assets or users under investigation.
  • Use the relationship to T1584 to frame detections as resource-development intelligence that may precede direct compromise; ensure alerts can be routed to threat intelligence and incident response workflows.
  • Document false-positive handling for legitimate third-party services, shared hosting, CDNs, DNS providers, and cloud infrastructure, since the supplied ATT&CK content does not define platform-specific logic.

Mitigation priorities

  • Strengthen collection and retention for DNS, network, proxy, email, and cloud access telemetry that can support infrastructure analysis.
  • Maintain a process for enriching and validating external infrastructure indicators before blocking business-critical services.
  • Integrate threat intelligence review with incident response playbooks so suspected compromised infrastructure can inform scoping, containment, and communications decisions.
  • Review third-party and internet dependency risk where business services rely on domains, DNS, cloud hosting, or web providers that could be abused by adversaries.
  • Use findings as compliance and audit evidence for monitoring, incident response readiness, and third-party risk management, while avoiding claims of complete coverage unless validated locally.
Analyst notes and limits

This take is based on the detection strategy object DET0885 and its relationship to T1584 Compromise Infrastructure. The ATT&CK object itself does not provide an official description, detection text, platforms, or tactics, so the practical guidance is intentionally framed around validation questions and telemetry classes implied by the related technique description.

Local environment evidence is required to determine actual coverage, alert quality, retention, and response procedures. The supplied ATT&CK fields do not support claims about specific tools, vendors, active exploitation, actor attribution, affected platforms for this detection strategy, or guaranteed detection outcomes.

Official MITRE ATT&CK definition

Detection of Compromise Infrastructure

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1584 Compromise Infrastructure This object detects Compromise Infrastructure.
Relationship explorer

All related ATT&CK context

detects · Technique T1584: Compromise Infrastructure Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bb3af847e6f66daa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bb3af847e6f6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0885
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use