Build social network persona

For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (Facebook, LinkedIn, Twitter, Google+, etc.). [1] [2] [3]

ID: T1341
Sub-techniques:  No sub-techniques
Tactic: Persona Development
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description

APT17 posted in forum threads and created profile pages in Microsoft TechNet.[5]


Cleaver created fake LinkedIn profiles.[4]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Performing activities like typical users, but with specific intent in mind.


  1. Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
  2. Thomas Ryan. (2010). “Getting In Bed with Robin Sage.”. Retrieved March 6, 2017.
  3. Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017.