DET0873: Detection of Establish Accounts
DET0873 is a detection strategy for identifying adversary-created or cultivated external accounts used to support targeting operations. For leaders, the si...
Analyst context for executives and security teams
DET0873 is a detection strategy for identifying adversary-created or cultivated external accounts used to support targeting operations. For leaders, the significance is that this activity can occur before intrusion and outside normal enterprise telemetry, so coverage depends less on endpoint alerts and more on brand, identity, threat intelligence, and external monitoring processes.
Executive priority
Prioritize this as an early-warning and risk-reduction topic rather than a conventional post-compromise control. Ask whether the organization can recognize suspicious personas, social media profiles, website accounts, or other public-facing accounts that may be used to legitimize targeting. This matters for executive impersonation risk, fraud enablement, phishing preparation, incident triage, and evidence of proactive monitoring for compliance or resilience programs.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own. Its relationship shows it detects T1585 Establish Accounts, a resource-development technique on PRE platforms. SOC, CTI, and IR teams should validate whether they have processes to discover and assess externally created accounts or personas that reference the organization, executives, brands, affiliates, or operations. Detection should be treated as relationship-driven and intelligence-led, not as a guaranteed log analytic.
Likely telemetry
- Public web and social media monitoring results for organization, brand, executive, and affiliate references
- Threat intelligence or digital risk findings about newly observed personas or accounts
- Reports from employees, customers, partners, or brand-protection channels about suspicious accounts
- Records of known legitimate corporate, executive, recruiting, support, and marketing accounts for comparison
- Incident response case notes linking suspicious accounts to targeting, phishing preparation, or impersonation concerns
Detection direction
- Because ATT&CK provides no official detection logic for DET0873, validate local collection and triage workflow before claiming coverage.
- Tune monitoring around high-risk names, brands, roles, business units, and public campaigns, while accounting for legitimate marketing, recruiting, partner, and customer-community activity.
- Use allowlists or inventories of authorized public accounts to reduce false positives from legitimate corporate presence.
- Escalate findings when an account shows developed persona characteristics, organizational references, or apparent use in targeting context; avoid treating account creation alone as confirmed malicious activity.
- Document evidence sources and analytic thresholds so SOC and CTI teams can explain why a suspicious account is relevant during incident response.
Mitigation priorities
- Maintain an inventory of authorized public-facing accounts and ownership contacts.
- Define a reporting and triage path for suspected impersonation or suspicious external accounts.
- Coordinate security, communications, legal, fraud, and executive-protection stakeholders for assessment and response.
- Use threat intelligence and digital risk monitoring where business exposure justifies it.
- Preserve evidence and decision records to support incident response, takedown requests, and audit/compliance evidence.
Analyst notes and limits
This take is based on the detection strategy object DET0873 and its relationship to T1585 Establish Accounts. The object itself contains no official description, detection guidance, platforms, or tactics; the practical guidance therefore focuses on defensive validation implied by the related ATT&CK technique and its resource-development context.
Coverage cannot be inferred from ATT&CK alone. Local visibility, brand exposure, public account inventory quality, legal/takedown processes, and threat intelligence sources determine whether this behavior can be found or acted on. No active exploitation, attribution, or guaranteed detection is claimed.
Detection of Establish Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1585 | Establish Accounts | This object detects Establish Accounts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 104ddbf3fe89… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0873Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.