AN2062: Analytic 2062
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
Analyst context for executives and security teams
AN2062 highlights a detection problem more than a specific observable behavior: much of the adversary activity occurs outside the target organization’s visibility. For leaders, the practical issue is that the SOC may not be able to see the earliest parts of the threat lifecycle directly, so assurance must come from validating coverage around adjacent observable stages, especially Initial Access.
Executive priority
Treat this as a resilience and readiness gap: if activity happens before it reaches owned systems, detection cannot rely only on internal endpoint or network alerts. Executives should ask whether the organization has evidence-quality visibility for Initial Access, identity events, and externally sourced warning signals, and whether incident response playbooks account for investigations that begin with limited or third-party evidence.
Technical view
The supplied ATT&CK analytic has platform PRE, no specified tactic, no relationships, and no official detection logic. SOC and detection engineering teams should therefore validate compensating visibility around the points where externally staged activity becomes observable, such as authentication, email, web, cloud access, endpoint execution, and network ingress associated with Initial Access. Detection content should be assessed for gaps where activity remains outside enterprise telemetry until the first direct interaction with users, identities, applications, or infrastructure.
Likely telemetry
- Identity and access logs, including sign-in, MFA, and anomalous authentication evidence
- Email security and user-reporting telemetry for potential Initial Access paths
- Web proxy, DNS, and network ingress logs where external interaction becomes observable
- Endpoint and EDR telemetry for post-delivery execution or user interaction
- Cloud control-plane and SaaS audit logs for access attempts and session activity
Detection direction
- Do not expect direct visibility into all PRE-stage activity; validate where the first enterprise-observable event should appear.
- Tune detections around Initial Access and identity activity because the official description explicitly points defenders toward related lifecycle stages.
- Check for blind spots caused by unmanaged assets, incomplete SaaS/cloud audit logging, limited email retention, or missing identity telemetry.
- Use external intelligence or third-party reports as investigation leads, but require local corroboration before escalation decisions.
- Document which parts of the lifecycle are not observable internally so SOC coverage claims and audit evidence remain accurate.
Mitigation priorities
- Prioritize reliable logging and retention for identity, email, endpoint, network ingress, and cloud/SaaS control planes.
- Strengthen Initial Access controls such as MFA enforcement, conditional access, phishing-resistant processes where applicable, and hardened exposed services.
- Maintain incident response procedures for alerts that originate from weak signals or external notifications rather than deterministic internal detections.
- Use attack-surface and exposure management to reduce opportunities before activity becomes visible internally.
- Align compliance evidence to demonstrable monitoring coverage and clearly documented limitations for activity outside organizational visibility.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique. The key decision value is recognizing that direct detection may be impractical for activity outside the organization’s telemetry boundary, so coverage should be measured by adjacent observable stages and response readiness.
The supplied object contains no official detection logic, no tactics, no relationships, no aliases, and only the PRE platform. Recommendations are therefore limited to conservative validation and compensating-control guidance derived from the official description and external reference.
Analytic 2062
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 173a1f0e130f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.