AN2060: Analytic 2060
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
Analyst context for executives and security teams
Analytic AN2060 highlights a detection gap: some adversary activity occurs before or outside the target organization’s direct visibility. For leaders, the practical issue is not a single alert, but whether the security program can still make defensible decisions when the earliest hostile activity leaves little internal telemetry.
Executive priority
Treat this as a resilience and readiness question. Executives should ask whether the organization has enough visibility, threat intelligence, external monitoring, and initial-access detection coverage to compensate for activity that may happen outside its environment. This matters for incident triage, audit evidence, and prioritizing controls around the points where external activity eventually becomes observable.
Technical view
Because the object provides no specific detection logic and lists platform PRE, SOC and IR teams should not expect a direct internal analytic to cover the behavior. Validation should focus on adjacent observable stages, especially Initial Access as noted by MITRE, and on whether detections, logging, and response playbooks can identify the first point where external preparation or activity touches enterprise systems.
Likely telemetry
- Initial access signals from identity, endpoint, email, network, cloud, or exposed service logs where applicable to the local environment
- External threat intelligence or exposure-monitoring findings, if available
- Authentication and access logs around first observed contact with enterprise assets
- Incident response timelines showing when activity first became visible internally
- Alert and case-management records linking external context to internal detections
Detection direction
- Do not measure coverage solely by whether AN2060 has a direct rule; MITRE states much of the activity may be outside target visibility.
- Validate detections for related lifecycle stages, especially Initial Access, because that may be the first defensible observation point.
- Tune SOC workflows to preserve context from external intelligence or exposure findings without treating them as confirmed compromise by default.
- Review blind spots where externally initiated activity only becomes visible after authentication, delivery, or interaction with exposed services.
- Use local telemetry to determine what is actually observable; the ATT&CK object does not provide tactic mapping, detection logic, or relationships.
Mitigation priorities
- Prioritize visibility and response readiness at the transition from external activity to internal contact, such as initial access monitoring and exposed-service oversight.
- Ensure incident response playbooks account for incomplete early-stage evidence and include steps to reconstruct timelines from the first internal observation.
- Use threat intelligence and exposure management as decision support, while requiring corroborating internal evidence before declaring incidents.
- Document known visibility limits for compliance and risk discussions so leadership understands where prevention, detection, and response assumptions begin.
Analyst notes and limits
This is a detection analytic object, not a technique description. Its main value is to remind defenders that some adversary lifecycle activity may be inherently difficult for the target to observe directly, so coverage should be assessed through adjacent observable stages rather than a single analytic.
The supplied ATT&CK fields are sparse: no official detection logic, no tactics, no relationships, no aliases, and only platform PRE. Any environment-specific control recommendations, telemetry sources, or detection claims require local architecture and logging evidence.
Analytic 2060
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0c122b049ac… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.