Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0884: Detection of Acquire Access

DET0884 is a MITRE detection strategy for Acquire Access (T1650), where adversaries obtain already-compromised access to a target through purchase, sharing...

EnterpriseDET0884Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0884 is a MITRE detection strategy for Acquire Access (T1650), where adversaries obtain already-compromised access to a target through purchase, sharing, or brokered relationships. Its practical importance is that the compromise may begin before the victim sees malware, phishing, or exploitation activity in its own telemetry. Leaders should treat this as a readiness gap: can the organization recognize signs that valid access was acquired and used, even when the original intrusion path is unknown?

Executive priority

This behavior matters because it can shorten the path from external threat activity to an internal incident by bypassing many prevention controls focused on initial exploitation. Priority should be placed on validating identity monitoring, third-party and external exposure processes, incident response playbooks for unknown initial access, and evidence needed to support audit or regulatory questions about suspicious account use. Since the ATT&CK detection strategy provides no official detection text or platform scope, coverage should not be assumed; it should be proven with local telemetry and response exercises.

Technical view

SOC, detection engineering, and IR teams should use this strategy as a prompt to validate detection coverage around the related technique, Acquire Access (T1650), under Resource Development and PRE context. Because MITRE does not provide specific detection logic for DET0884, teams should focus on downstream evidence that acquired access is being used: anomalous authentication, unexpected access from new infrastructure, suspicious use of legitimate accounts, unusual remote access patterns, and deviations from normal account behavior. IR playbooks should account for cases where the first observable event is valid credential or session use rather than exploit execution.

Likely telemetry

  • Identity provider authentication logs and sign-in risk events
  • VPN, remote access, SSO, and privileged access logs
  • Account lifecycle and access change records
  • Endpoint and network telemetry showing first use of access from unusual locations or systems
  • Cloud control plane and SaaS audit logs where applicable to the local environment

Detection direction

  • Validate whether detections can identify suspicious use of legitimate access without relying on malware or exploit indicators.
  • Tune for behavior changes such as new source locations, impossible travel, unusual access times, atypical systems, or privilege use inconsistent with account history.
  • Correlate authentication, access management, endpoint, and network evidence so analysts can distinguish acquired access from normal remote work or administrator activity.
  • Review false positives from travel, VPN changes, managed service providers, and emergency administrative activity.
  • Document blind spots where logs are unavailable, retention is too short, or identity events are not integrated into the SOC workflow.

Mitigation priorities

  • Prioritize strong identity controls, including phishing-resistant MFA where feasible, privileged access governance, and rapid disablement of suspicious accounts or sessions.
  • Reduce exposure of remote access and administrative interfaces and ensure access is monitored and justified.
  • Maintain incident response procedures for suspected acquired access, including credential reset, session revocation, access review, and scope validation.
  • Use threat intelligence and external exposure monitoring to inform risk prioritization, while treating it as context rather than proof of compromise.
  • Preserve authentication and access logs long enough to investigate cases where the initial compromise occurred before internal detection.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no specified platforms or tactics. The main analytic value comes from its relationship to T1650 Acquire Access, which is associated with Resource Development and PRE. Local environment architecture, identity stack, remote access patterns, and logging maturity will determine what detection coverage is realistic.

This take is constrained to the provided ATT&CK fields, external reference, and relationship context. It does not assert active exploitation, specific adversary attribution, affected platforms beyond the related PRE context, or guaranteed detection methods. Any concrete rule logic or control assessment requires organization-specific telemetry and baselines.

Official MITRE ATT&CK definition

Detection of Acquire Access

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1650 Acquire Access This object detects Acquire Access.
Relationship explorer

All related ATT&CK context

detects · Technique T1650: Acquire Access Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
52ab2e89c627a25b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 52ab2e89c627…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0884
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use