DC0052: Social Media
Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.
*Data Collection Measures:*
- API Monitoring - Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts. - Web Scraping - Extracts public profile data, friend lists, or interactions to identify impersonation attempts. - Threat Intelligence Feeds - External feeds track malicious personas linked to disinformation campaigns or phishing. - OSINT Tools - Maltego, SpiderFoot, and OpenCTI can map social media persona relationships. - Endpoint Detection - EDR logs user behavior and alerts on suspicious social media interactions. - SIEM Logging - Detects access to known phishing pages or social media abuse via proxy logs. - Dark Web Monitoring - Identifies compromised social media credentials being sold.
Analyst context for executives and security teams
Social media is a defensive data component for understanding adversary use of public or compromised accounts in reconnaissance, influence activity, social engineering, phishing support, and related cyber threats. For leaders, its value is less about monitoring every post and more about knowing whether the organization can identify impersonation, credential exposure, malicious personas, and social-media-driven lures before they affect users, reputation, or incident response decisions.
Executive priority
Treat this as a visibility and readiness question: who owns monitoring of social media abuse, brand or executive impersonation, exposed social media credentials, and social-media-linked phishing paths? Because ATT&CK provides no specific platform, tactic, or detection logic for this component, executives should focus on governance, collection authority, evidence retention, escalation paths, and integration between security, communications, legal, and incident response teams.
Technical view
SOC, threat intelligence, and IR teams should validate whether they can collect and correlate evidence from social media APIs, public web scraping, threat intelligence feeds, OSINT tooling, endpoint detections, SIEM/proxy logs, and dark web monitoring. The supplied ATT&CK object does not define official detections or relationships to specific techniques, so teams should avoid assuming coverage and instead test whether social-media-derived indicators can be linked to phishing pages, suspicious user interactions, impersonation attempts, exposed credentials, or malicious persona infrastructure in existing workflows.
Likely telemetry
- Social media API outputs showing account behavior, relationships, or posting patterns
- Public web-scraped profile data, friend lists, interactions, and impersonation indicators
- Threat intelligence feeds reporting malicious personas, disinformation-linked accounts, or phishing-related social media activity
- OSINT tool outputs mapping persona relationships and account connections
- Endpoint detection logs involving suspicious user interactions with social media content
Detection direction
- Confirm which social media sources are legally and operationally approved for monitoring, and document collection gaps.
- Correlate social media indicators with proxy, SIEM, endpoint, and threat intelligence evidence rather than treating OSINT findings as standalone proof.
- Tune for impersonation, credential exposure, malicious persona relationships, and links to phishing pages, while accounting for false positives from legitimate public engagement, marketing activity, or common-name accounts.
- Validate escalation workflows for findings that involve executives, brand abuse, employee targeting, or suspected compromised social media credentials.
- Because ATT&CK supplies no official detection text or technique relationships for this object, local use cases and historical incident data should drive detection logic.
Mitigation priorities
- Define ownership for social media abuse monitoring across security, communications, legal, and incident response functions.
- Inventory approved data sources such as APIs, threat intelligence feeds, OSINT tools, SIEM/proxy logs, EDR alerts, and dark web monitoring.
- Establish triage criteria for impersonation, exposed credentials, phishing links, and suspicious persona networks.
- Integrate confirmed social media indicators into SOC and IR workflows with evidence retention suitable for investigation and compliance support.
- Review access controls and credential hygiene for official social media accounts, especially where compromised credentials are a concern.
Analyst notes and limits
This object is a data component, not a technique, and the supplied record includes collection measures but no ATT&CK tactics, platforms, official detection text, aliases, or relationship context. The most useful Glexia interpretation is therefore to treat Social Media as an evidence source that can enrich threat intelligence, phishing investigation, brand impersonation response, and credential exposure workflows.
The source does not provide active exploitation claims, attribution, specific adversary procedures, concrete detection analytics, affected platforms, or ATT&CK relationships. Any assessment of coverage or risk must be based on the organization’s approved monitoring scope, available telemetry, and local incident history.
Social Media
Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.
*Data Collection Measures:*
- API Monitoring - Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts. - Web Scraping - Extracts public profile data, friend lists, or interactions to identify impersonation attempts. - Threat Intelligence Feeds - External feeds track malicious personas linked to disinformation campaigns or phishing. - OSINT Tools - Maltego, SpiderFoot, and OpenCTI can map social media persona relationships. - Endpoint Detection - EDR logs user behavior and alerts on suspicious social media interactions. - SIEM Logging - Detects access to known phishing pages or social media abuse via proxy logs. - Dark Web Monitoring - Identifies compromised social media credentials being sold.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 116b7b7a9339… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0052Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.