Persona

A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims

ID: DS0021
Platform: PRE
Collection Layer: OSINT
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Persona: Social Media

Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.

Data Collection Measures:

  • API Monitoring
    • Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts.
  • Web Scraping
    • Extracts public profile data, friend lists, or interactions to identify impersonation attempts.
  • Threat Intelligence Feeds
    • External feeds track malicious personas linked to disinformation campaigns or phishing.
  • OSINT Tools
    • Maltego, SpiderFoot, and OpenCTI can map social media persona relationships.
  • Endpoint Detection
    • EDR logs user behavior and alerts on suspicious social media interactions.
  • SIEM Logging
    • Detects access to known phishing pages or social media abuse via proxy logs.
  • Dark Web Monitoring
    • Identifies compromised social media credentials being sold.

Persona: Social Media

Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.

Data Collection Measures:

  • API Monitoring
    • Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts.
  • Web Scraping
    • Extracts public profile data, friend lists, or interactions to identify impersonation attempts.
  • Threat Intelligence Feeds
    • External feeds track malicious personas linked to disinformation campaigns or phishing.
  • OSINT Tools
    • Maltego, SpiderFoot, and OpenCTI can map social media persona relationships.
  • Endpoint Detection
    • EDR logs user behavior and alerts on suspicious social media interactions.
  • SIEM Logging
    • Detects access to known phishing pages or social media abuse via proxy logs.
  • Dark Web Monitoring
    • Identifies compromised social media credentials being sold.
Domain ID Name Detects
Enterprise T1586 Compromise Accounts

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

.001 Social Media Accounts

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).

Enterprise T1585 Establish Accounts

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

.001 Social Media Accounts

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).