T0011 "Compromise legitimate accounts"

Tactic stage: TA16

Summary: Hack or take over legimate accounts to distribute misinformation or damaging content.


Has counters:

C00053 Delete old accounts / Remove unused social media accounts
C00098 Revocation of allowlisted or "verified" status
C00133 Deplatform Account*
C00153 Take pre-emptive action against actors' infrastructure
C00182 Redirection / malware detection/ remediation
C00189 Ensure that platforms are taking down flagged accounts
C00197 remove suspicious accounts

Detection methods include:

F00019 Activity resurgence detection (alarm when dormant accounts become activated)
F00020 Detect anomalous activity
F00023 Periodic verification (counter to hijack legitimate account)
F00058 Deplatform (cancel culture)
F00062 Detect when Dormant account turns active
F00064 Monitor reports of account takeover
F00093 S4d detection and re-allocation approaches


Examples include:

Seen in incidents: