Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0895: Detection of Acquire Infrastructure

DET0895 is a detection strategy object for identifying activity related to ATT&CK T1583, Acquire Infrastructure. Its business value is early warning: adver...

EnterpriseDET0895Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0895 is a detection strategy object for identifying activity related to ATT&CK T1583, Acquire Infrastructure. Its business value is early warning: adversaries often prepare domains, servers, cloud resources, or third-party services before intrusion activity becomes visible in endpoint or network alerts. Because the supplied ATT&CK object has no official detection text or platform detail, this should be treated as a planning anchor rather than a ready-to-deploy analytic.

Executive priority

Prioritize this as a resilience and readiness question: does the organization have a way to notice adversary-owned infrastructure before it is used against the business, and can that evidence support incident decisions, threat intelligence enrichment, and compliance reporting? Leaders should ask whether SOC, threat intelligence, cloud security, and incident response teams share infrastructure indicators and whether budget is assigned to external-facing monitoring, enrichment, and response workflows rather than relying only on post-compromise telemetry.

Technical view

The object detects T1583 Acquire Infrastructure, which is under resource development and uses the PRE platform context in the supplied relationship. Since no official detection logic is provided, SOC and detection engineering teams should validate whether they can observe or enrich suspicious domains, servers, cloud-hosted assets, third-party web services, free-trial infrastructure, and other externally acquired resources when they become relevant to targeting. Treat detections as intelligence-led correlation and risk scoring rather than a single deterministic alert.

Likely telemetry

  • Threat intelligence feeds and infrastructure reputation data
  • DNS registration, passive DNS, and domain age/enrichment data
  • Certificate transparency and TLS certificate metadata
  • Network security logs showing connections to newly observed or suspicious infrastructure
  • Proxy, web gateway, and DNS resolver logs

Detection direction

  • Map existing detections and enrichment workflows to T1583 rather than assuming DET0895 provides deployable logic.
  • Validate visibility into newly registered domains, leased or cloud-hosted servers, third-party web services, and other infrastructure types described in the related ATT&CK technique.
  • Tune for context: newly created infrastructure alone can be benign, so prioritize correlation with targeting, suspicious naming, reputation changes, certificate patterns, DNS behavior, or observed connections from enterprise assets.
  • Check blind spots where telemetry is commonly incomplete, including unmanaged DNS resolution, encrypted traffic without metadata capture, limited passive DNS access, and lack of external infrastructure enrichment.
  • Ensure alerts can be handed to incident response with enough evidence to support blocking, monitoring, or threat hunting decisions.

Mitigation priorities

  • Establish governance for threat intelligence ingestion, indicator validation, and expiry so infrastructure-based decisions remain current.
  • Ensure DNS, proxy, network, and relevant external intelligence sources are retained and searchable for investigations.
  • Define response playbooks for suspicious external infrastructure, including when to monitor, block, enrich, or escalate.
  • Integrate infrastructure indicators into SOC workflows and incident response case management to preserve audit evidence and decision rationale.
  • Review coverage periodically against T1583 because this detection strategy has no official ATT&CK detection procedure or platform-specific implementation guidance.
Analyst notes and limits

This take is based on the detection strategy DET0895 and its relationship to T1583 Acquire Infrastructure. The relationship indicates a resource-development, PRE-context behavior involving adversaries obtaining infrastructure such as servers, domains, cloud resources, and third-party web services. The practical value is earlier identification and enrichment of infrastructure that may later be used in targeting.

The supplied ATT&CK object provides no official description, no official detection text, no tactics, and no platforms for the detection strategy itself. Recommendations therefore remain high-level and must be validated against local telemetry, legal/privacy constraints, intelligence sources, and response processes. No active exploitation, attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Acquire Infrastructure

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583 Acquire Infrastructure This object detects Acquire Infrastructure.
Relationship explorer

All related ATT&CK context

detects · Technique T1583: Acquire Infrastructure Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
32c0346b3906190e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 32c0346b3906…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0895
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use