Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0812: Detection of Social Media

This detection strategy matters because social media reconnaissance is often outside normal enterprise logging. The related ATT&CK technique covers adversa...

EnterpriseDET0812Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because social media reconnaissance is often outside normal enterprise logging. The related ATT&CK technique covers adversaries searching public social media for organizational announcements and staff details such as roles, locations, and interests that can support later targeting. For leaders, the practical issue is not whether a firewall will alert; it is whether the organization knows what sensitive targeting information is publicly exposed and whether SOC, communications, HR, and incident response teams have a process to identify and act on risky exposure.

Executive priority

Treat this as an exposure-management and readiness priority, not only a SOC rule. Executives should ask who owns public social media risk, what information about personnel and operations is acceptable to publish, and what evidence exists that public exposure is reviewed. This supports business resilience by reducing easy reconnaissance value before an incident and by giving incident responders context when social media-derived targeting is suspected.

Technical view

DET0812 is a detection strategy for Social Media reconnaissance and is related to ATT&CK T1593.001 in the reconnaissance tactic with PRE platform context. The supplied ATT&CK object does not provide official detection logic, platforms, or data sources, so defenders should validate coverage around externally observable indicators and internal governance evidence rather than assuming endpoint or network telemetry will see the activity. SOC and threat intelligence teams should correlate public-facing social media exposure with suspicious targeting reports, impersonation or lookalike activity where observed, and incident cases involving staff or organizational details that were publicly available.

Likely telemetry

  • Public social media profile and post inventories for official organizational accounts
  • Records of public staff-role, location, interest, or announcement exposure where the organization tracks them
  • Brand, executive, and organizational mention monitoring outputs, where available
  • Reports from employees, communications teams, or incident responders about suspicious outreach referencing public social media information
  • Social media account administration and access logs for official accounts, where available

Detection direction

  • Validate whether the organization has any monitoring or review process for public social media exposure; passive adversary viewing may leave no enterprise telemetry.
  • Tune detections and triage around context: suspicious outreach or targeting that references roles, locations, interests, or announcements publicly visible on social media may be relevant but is not proof of adversary reconnaissance by itself.
  • Avoid overclaiming coverage from network, endpoint, or identity tools unless they specifically collect evidence tied to this behavior; the ATT&CK object provides no official detection analytics.
  • Use the relationship to T1593.001 to connect findings to reconnaissance in incident timelines and threat intelligence reporting.
  • Account for false positives: customers, recruiters, partners, journalists, and normal public users may view or reference public social media information legitimately.

Mitigation priorities

  • Define ownership for official social media exposure across security, communications, HR, legal, and business teams.
  • Review public posts and profiles for unnecessary disclosure of staff roles, locations, interests, business announcements, or operational details that could aid targeting.
  • Establish a repeatable review process before and after major announcements or organizational changes.
  • Educate personnel on how public social media details can be used for targeting without requiring them to stop legitimate business use.
  • Ensure incident response playbooks include a step to assess whether public social media information contributed to targeting.
Analyst notes and limits

The most useful defensive output is often an exposure assessment and an incident context signal, not a high-fidelity alert. This object should be used to drive questions about governance, monitoring ownership, and how public information is considered during investigations.

The supplied ATT&CK detection strategy has no official description, no official detection text, no specified platforms, and no tactics listed on the object itself. The only behavioral context provided is its relationship to T1593.001 Social Media under reconnaissance with PRE platform context. Local environment evidence is required to determine actual monitoring, exposure, and response maturity.

Official MITRE ATT&CK definition

Detection of Social Media

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1593.001 Social Media Sub-technique This object detects Social Media.
Relationship explorer

All related ATT&CK context

detects · Technique T1593.001: Social Media Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d7c0a66196d83c46...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d7c0a66196d8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0812
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use