DET0851: Detection of Social Media Accounts
DET0851 is a detection strategy for identifying social media accounts that may support adversary persona development before targeting. For leaders, the mat...
Analyst context for executives and security teams
DET0851 is a detection strategy for identifying social media accounts that may support adversary persona development before targeting. For leaders, the material issue is that this activity can happen outside enterprise networks, before traditional SOC alerts fire, and may shape later social engineering risk against employees, executives, partners, or trusted communities.
Executive priority
Treat this as a pre-incident visibility and readiness question rather than a conventional endpoint control problem. Executives should ask whether the organization has defined ownership for monitoring suspicious social media personas, validating impersonation or affiliation claims, escalating credible targeting concerns, and preserving evidence for incident response, legal, communications, or compliance needs.
Technical view
The supplied ATT&CK object has no official description, detection text, platforms, or tactics of its own. Its value comes from the relationship to T1585.001, Social Media Accounts, under resource development on PRE. SOC, threat intelligence, and IR teams should validate whether they can identify suspicious account creation or cultivation that uses the organization’s name, brands, executives, employees, projects, or affiliations to build credibility for later social engineering.
Likely telemetry
- Public social media profile metadata and observable account history where collection is authorized
- Mentions of the organization, executives, employees, brands, projects, or affiliations in public profiles
- Reports from employees, executives, recruiters, communications teams, or customers about suspicious personas
- Threat intelligence or OSINT monitoring records related to impersonation or persona cultivation
- Case management records for validation, escalation, takedown requests, and evidence preservation
Detection direction
- Confirm whether monitoring covers the pre-compromise resource-development phase, not only internal network or identity events.
- Prioritize watch criteria around high-value targets, executive identities, recruiting themes, trusted affiliations, and organization-specific branding.
- Tune for false positives such as legitimate recruiters, customers, alumni, fan/community accounts, parody accounts, or unrelated people with similar names.
- Document blind spots: private groups, closed platforms, regional platforms, language coverage, limited historical account data, and legal or contractual limits on collection.
- Correlate suspicious personas with employee reports or other targeting indicators before escalating as a security incident.
Mitigation priorities
- Define ownership across security, threat intelligence, communications, legal, HR, and executive protection for suspicious social media persona handling.
- Maintain authoritative public social media presence and clear reporting paths for suspected impersonation or suspicious contact attempts.
- Create an IR playbook for triage, evidence capture, risk assessment, stakeholder notification, and platform takedown or abuse reporting when appropriate.
- Use awareness guidance for employees and high-risk roles to report unusual social media engagement, especially accounts claiming trusted affiliation.
- Retain audit-ready evidence of monitoring scope, decisions, escalations, and response actions where this supports compliance or incident governance.
Analyst notes and limits
This detection strategy is sparse in the supplied ATT&CK fields. The relationship to T1585.001 supports framing it as visibility into adversary-created or cultivated social media personas for resource development. Local risk depends heavily on business profile, public executive exposure, recruiting activity, brand visibility, and the organization’s legal authority to monitor public or third-party platforms.
No official MITRE detection text, platforms, tactics, or description were provided for DET0851. The related technique indicates PRE and resource-development context, but this does not prove active exploitation, attribution, or detection coverage in any environment. Practical implementation requires local telemetry, policy, legal review, and platform-specific constraints.
Detection of Social Media Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | This object detects Social Media Accounts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5cb250f3b588… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0851Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.