AN2005: Analytic 2005
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).
Analyst context for executives and security teams
This analytic is about finding early warning signs before or around intrusion attempts: unusual protocol traffic that does not match expected standards or flows, plus suspicious social media activity such as fake personas claiming organizational affiliation. Its value is not a single alert, but a readiness check: can the organization see abnormal network behavior and external impersonation activity early enough to inform phishing defense, incident triage, and executive risk decisions?
Executive priority
Treat this as a visibility and resilience priority for pre-compromise risk. Leaders should ask whether security teams can baseline normal protocol behavior, correlate suspicious traffic to processes and command lines, and monitor public-facing social media impersonation risks. Because ATT&CK notes much of the social activity may occur outside the target organization’s visibility, this should inform expectations for managed detection, threat intelligence, phishing readiness, and compliance evidence rather than be treated as guaranteed detection coverage.
Technical view
For SOC, detection engineering, and IR teams, validate whether network monitoring can identify protocol syntax, structure, or flow anomalies such as extraneous packets, gratuitous traffic, or traffic outside established flows. Where endpoint visibility exists, correlate anomalous traffic with process execution and command-line arguments, especially files or processes that do not normally initiate the relevant protocol connections. For the social media portion, establish review workflows for newly created or modified accounts, personas claiming employment, and high-volume connection requests targeting accounts affiliated with the organization. The supplied ATT&CK object lists platform PRE, has no tactics specified, and provides no formal detection logic, so local baselining is essential.
Likely telemetry
- Network traffic metadata and flow records
- Packet capture or protocol inspection output
- Protocol parser/anomaly logs
- Endpoint process execution telemetry
- Command-line telemetry
Detection direction
- Baseline expected protocol standards, syntax, structure, and traffic flows before tuning anomaly thresholds.
- Correlate protocol anomalies with process execution and command-line context to reduce noise and identify unusual initiating processes.
- Treat malformed or anomalous traffic carefully: misconfigured applications, testing tools, scanning, and network issues can create false positives.
- Define an intake and triage process for suspected social media impersonation, especially newly created or modified accounts making many connection requests to affiliated personnel.
- Do not rely on social media monitoring alone; ATT&CK notes much of this activity may be outside organizational visibility, so correlate with later-stage indicators such as phishing attempts when available.
Mitigation priorities
- Prioritize collection and retention of network flow, protocol inspection, process execution, and command-line evidence needed to support this analytic.
- Create expected-protocol baselines for important environments and review exceptions for legitimate business applications.
- Maintain governance for official organizational social media presence and a process for reporting suspected impersonation.
- Integrate suspicious social media findings with phishing awareness, reporting, and incident response workflows.
- Use findings to support control validation and audit evidence around monitoring, incident triage, and pre-compromise threat intelligence processes.
Analyst notes and limits
This object is a detection analytic, not a technique, and it provides broad monitoring guidance rather than a specific query. The strongest decision value is validating whether the organization can combine network anomaly detection, endpoint context, and external social media observations into an actionable investigation workflow.
No official detection logic, tactics, labels, aliases, or relationship context were supplied. Platform is limited to PRE. The description explicitly states that much of the social media activity may occur outside the target organization’s visibility, so coverage depends heavily on local telemetry, baselines, monitoring authority, and investigation processes.
Analytic 2005
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5e7b7c3e79ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.