Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2015: Analytic 2015

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.

EnterpriseAN2015AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is important because MITRE explicitly notes that much of the relevant activity may occur outside the target organization’s visibility. For leaders, the practical issue is not whether a single alert exists, but whether the organization can recognize the surrounding signs when the activity moves into observable stages such as phishing, endpoint denial of service, or network denial of service.

Executive priority

Treat this as a visibility and readiness question. Executives and security leaders should ask whether the SOC, incident response plan, and continuity processes are prepared for activity that may not be directly detectable until it appears as phishing or denial-of-service behavior. Priority should go to validating evidence collection, escalation paths, and resilience playbooks for those related stages rather than assuming direct detection is possible.

Technical view

The supplied ATT&CK analytic does not provide a specific detection rule, tactic, or relationship context. SOC and detection teams should therefore validate coverage around the observable lifecycle stages named by MITRE: phishing, endpoint denial of service, and network denial of service. For this PRE-platform analytic, teams should be explicit about what is outside organizational telemetry and where detection depends on downstream signals, third-party intelligence, user reporting, service availability monitoring, or incident correlation.

Likely telemetry

  • Email security and mail gateway events relevant to phishing attempts
  • User-reported suspicious messages or social engineering reports
  • Endpoint performance, crash, resource exhaustion, and availability signals relevant to endpoint denial of service
  • Network flow, perimeter, DDoS, and availability monitoring relevant to network denial of service
  • SOC case management and incident timeline evidence linking precursor reports to later observable activity

Detection direction

  • Do not build confidence around a direct analytic unless local telemetry can actually observe the behavior; MITRE states much of the activity may occur outside target visibility.
  • Validate detections and triage workflows for the related observable stages: phishing, endpoint denial of service, and network denial of service.
  • Tune correlation to connect weak early signals, user reports, external intelligence, and later service-impacting events without over-weighting any single low-confidence indicator.
  • Document blind spots where activity occurs before contact with enterprise systems or outside owned infrastructure.
  • Review false positives from routine email campaigns, endpoint instability, capacity issues, or network congestion so denial-of-service and phishing investigations remain actionable.

Mitigation priorities

  • Prioritize resilience and response preparation where direct detection is limited: phishing handling, denial-of-service response, communications, and escalation paths.
  • Ensure email security, endpoint monitoring, network availability monitoring, and incident response processes produce evidence suitable for investigation and audit.
  • Run tabletop or operational validation exercises around phishing-led or denial-of-service-adjacent scenarios to test handoffs between SOC, IR, IT operations, and business continuity teams.
  • Define when to engage external providers or upstream network support for activity that occurs outside internal visibility.
  • Use lessons from incidents and exercises to refine logging, alert thresholds, user reporting, and continuity procedures.
Analyst notes and limits

This object is a MITRE detection analytic, not a technique. It has no supplied tactic, no relationships, and no official detection logic. The key decision value is acknowledging that direct observability may be limited and that defensive coverage should be assessed through related observable behaviors named in the official description.

The assessment is constrained to the supplied ATT&CK fields and external reference. No active exploitation, adversary attribution, platform-specific implementation, or guaranteed detection coverage is implied. Local architecture, telemetry retention, third-party services, and incident history are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 2015

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0770a3dbda42fc5e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0770a3dbda42…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2015
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use