T1650: Acquire Access
Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.[1][2][3] In some cases, adversary groups may form partnerships to share compromised systems with each other.[4]
Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., Web Shell) or established access via External Remote Services. In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.[1]
By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.[1][2]
In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a Trusted Relationship, Multi-Factor Authentication Interception, or even Supply Chain Compromise.
**Note:** while this technique is distinct from other behaviors such as Purchase Technical Data and Credentials, they may often be used in conjunction (especially where the acquired foothold requires Valid Accounts).
Analyst context for executives and security teams
Acquire Access matters because the first foothold may be bought or shared before the victim sees any obvious intrusion attempt. For leaders, this means prevention cannot rely only on blocking phishing or exploit delivery; the organization must assume some adversaries can start with an existing backdoor, remote access path, or valid account obtained through an access broker or partner ecosystem.
Executive priority
Prioritize this as a pre-compromise and resilience issue. The business question is whether the organization can reduce the value of its exposed access, detect misuse of already-compromised entry points, and prove to auditors or executives that remote services, privileged access, third-party connectivity, and monitoring coverage are governed. Organizations in IT contracting, software development, or telecommunications should also treat acquired access as a potential trusted-relationship and supply-chain risk because access to one environment may enable compromise of others.
Technical view
This is an Enterprise ATT&CK Resource Development technique on the PRE platform, so the purchase or acquisition itself may not appear in internal logs. SOC and IR teams should validate the downstream entry paths named by ATT&CK: web shells, external remote services, valid accounts, MFA-related abuse, trusted relationships, and supply-chain pathways. The related detection strategy DET0884 indicates ATT&CK has detection context for Acquire Access, but the supplied object provides no official detection text; teams should therefore map coverage to observable follow-on access rather than claiming direct visibility into broker activity.
Likely telemetry
- External remote service authentication logs, including successful logons, source geography/network changes, and unusual timing
- Identity and access management logs for valid account use, privilege level, MFA prompts, and anomalous session patterns
- Web server, application, and endpoint telemetry that could reveal planted backdoors or web shells
- EDR/server logs showing unexpected malware loading or post-access tooling following an existing foothold
- Third-party, contractor, vendor, and trusted-relationship access records
Detection direction
- Do not treat lack of exploit or phishing telemetry as reassurance; acquired access may begin with a legitimate-looking account or pre-positioned backdoor.
- Tune detections around first observed internal use of remote access, valid accounts, web shells, and privileged sessions, especially where the access path has limited historical use.
- Correlate identity events with endpoint and server activity to distinguish normal administration from brokered foothold use.
- Review monitoring gaps on externally reachable systems and high-privilege accounts, because ATT&CK notes adversaries may prefer access to systems with weak monitoring or high privileges.
- For third-party and supplier connections, validate whether logs identify the originating organization, user, device, and session behavior well enough for incident response.
Mitigation priorities
- Apply the related ATT&CK mitigation theme M1056 Pre-compromise by reducing exposed attack surface and making adversary preparation harder.
- Inventory and govern external remote services, third-party access paths, and privileged accounts before tuning detections.
- Strengthen identity controls around valid accounts and MFA, especially for remote and supplier access.
- Improve monitoring on internet-facing systems and high-value servers where a planted backdoor or web shell would create durable access.
- Build incident response playbooks for the scenario where the initial compromise predates detection and the first visible event is account or remote-service misuse.
Analyst notes and limits
The key decision value is recognizing that initial access may be commoditized outside the defender’s visibility. This technique should drive validation of pre-compromise controls, identity monitoring, remote access governance, and IR assumptions rather than a single signature-based detection.
MITRE provides no official detection text in the supplied object, and PRE-stage acquisition activity may occur outside enterprise telemetry. The relationship to DET0884 is noted but no detection details are supplied here. Local environment data is required to determine actual exposure, logging coverage, and whether any acquired access has been used.
Acquire Access
Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.[1][2][3] In some cases, adversary groups may form partnerships to share compromised systems with each other.[4]
Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., Web Shell) or established access via External Remote Services. In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.[1]
By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.[1][2]
In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a Trusted Relationship, Multi-Factor Authentication Interception, or even Supply Chain Compromise.
**Note:** while this technique is distinct from other behaviors such as Purchase Technical Data and Credentials, they may often be used in conjunction (especially where the acquired foothold requires Valid Accounts).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1051: Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [1] [2] Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [3] For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fc60e566f0a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[2]
CrowdStrike Access Brokers
CrowdStrike Intelligence Team. (2022, February 23). Access Brokers: Who Are the Targets, and What Are They Worth?. Retrieved March 10, 2023.
Open source URL -
[3]
Krebs Access Brokers Fortune 500
Brian Krebs. (2012, October 22). Service Sells Access to Fortune 500 Firms. Retrieved March 10, 2023.
Open source URL -
[4]
CISA Karakurt 2022
Cybersecurity Infrastructure and Defense Agency. (2022, June 2). Karakurt Data Extortion Group. Retrieved March 10, 2023.
Open source URL -
[5]
mitre-attack T1650Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.