AN2002: Analytic 2002

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service). Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

EnterpriseAN2002AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about watching for early warning signs before or around initial access: suspicious social media activity tied to the organization, plus anomalous network/protocol behavior that may indicate activity not matching expected traffic flows. For leaders, the value is not a single alert; it is whether the organization can connect external pre-incident signals with internal network and endpoint evidence quickly enough to support phishing, impersonation, and intrusion triage.

Executive priority

Prioritize this as a readiness and evidence-quality issue. Executives should ask whether the organization monitors brand/persona abuse relevant to employees, whether SOC teams can correlate those findings with network, process, and command-line telemetry, and whether incident response has a defined path for escalating suspicious pre-attack indicators into investigation. This supports operational resilience, phishing-risk governance, and audit evidence for monitoring and response processes, but the supplied ATT&CK object does not establish any specific threat actor, campaign, or confirmed exploitation pattern.

Technical view

The object is a detection analytic in the enterprise domain with platform listed as PRE and no specified tactic or relationships. Validation should focus on two evidence streams described by MITRE: external social media observations involving personas claiming affiliation or recently modified accounts sending many connection requests to organization-affiliated accounts; and internal network/protocol anomalies such as packets outside established flows, gratuitous or unusual traffic patterns, abnormal syntax or structure, and encrypted traffic visibility where SSL/TLS inspection is authorized. SOC teams should test whether those signals can be correlated with process monitoring and command-line data to identify unusual processes or files initiating protocol connections they do not normally initiate.

Likely telemetry

Social media or external brand/persona monitoring records related to the organization
Reports of suspicious connection requests to employees or affiliated accounts
Account metadata changes for suspicious external personas where available
Network traffic flow records and packet-level or protocol inspection data
SSL/TLS inspection metadata or decrypted inspection evidence where legally and operationally approved

Detection direction

Validate that external social-media monitoring has an escalation path into SOC or incident response workflows instead of remaining only a brand-protection activity.
Tune for suspicious clusters, such as recently modified accounts making numerous connection requests to organization-affiliated users, while accounting for benign recruiters, vendors, partners, and marketing activity.
Baseline expected protocol standards and traffic flows before treating anomalous packets, syntax, or structure as suspicious.
Correlate network anomalies with process and command-line telemetry to reduce false positives and identify unusual executables or files initiating connections.
Document visibility gaps where encrypted traffic cannot be inspected, packet capture is unavailable, endpoint process data is incomplete, or external social platforms limit accessible evidence.

Mitigation priorities

Define ownership for monitoring organization-related social media impersonation and suspicious outreach, including handoff to security operations.
Establish baselines for normal protocol behavior and expected traffic flows on monitored networks.
Ensure endpoint process and command-line logging can be correlated with network connection evidence.
Use SSL/TLS inspection only where approved by policy, law, privacy requirements, and architecture constraints.
Create incident response playbooks for suspicious external personas or outreach that may precede phishing or initial access attempts.

Analyst notes and limits

This Glexia take is based only on the supplied ATT&CK analytic AN2002, its description, platform PRE, external reference, and lack of relationship context. The official description combines external social media monitoring with network/protocol anomaly monitoring, so defenders should treat this as a broad analytic concept requiring local scoping rather than a precise detection rule.

Official detection content is not provided, tactics are not specified, and no relationships are supplied. The object does not provide severity, prevalence, attribution, affected products, or guaranteed detection logic. Local platform coverage, legal constraints on inspection, social-media data access, and baseline quality will determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 2002

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d38689a1ae02c3e9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d38689a1ae02…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN2002
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use