Detect Social Media Accounts in CrowdStrike LogScale
Adversaries may compromise existing social media accounts to conduct operations against target organizations. Rather than creating new personas, adversaries compromise legitimate accounts to leverage existing trust relationships and follower networks. Compromised accounts are used to deliver spearphishing messages via social platforms (T1566.003), conduct OAuth-based initial access attacks, or establish connections with target employees as a precursor to further social engineering. Threat groups including Sandworm Team (credential capture webpages) and Leviathan/APT40 (social engineering campaigns) have leveraged compromised social media accounts in operations. Detection focuses on observable effects when compromised accounts interact with the organization: anomalous OAuth authentication events using social identity providers, suspicious OAuth consent grants that may follow social media phishing, and Microsoft Defender for Cloud Apps anomalies on monitored corporate social accounts.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Sub-technique
- T1586.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/001/
LogScale Detection Query
// CrowdStrike Falcon Identity Protection + Falcon Horizon (Azure AD/O365 integration)
// Detects T1586.001: social IdP OAuth sign-ins and high-privilege consent grants with composite risk scoring
// Requires: Falcon Identity Protection license OR Falcon Horizon with Azure AD data ingestion
#event_simpleName = /^(UserActivityAuditEvent|IdpAuthAuditEvent|OAuthConsentGrant|AzureADSignIn|CloudIdentityEvent)$/
// Normalize identity provider and application name fields
| idpNorm := lower(coalesce(IdentityProviderType, ExternalIdpType, FederatedIdentityProvider, ""))
| appNorm := lower(coalesce(ApplicationDisplayName, ClientAppName, ServicePrincipalName, ""))
| scopeField := coalesce(GrantedScopes, OAuthScopes, DelegatedScopes, "")
| consentTypeField := coalesce(ConsentType, OAuthConsentType, "")
// Filter to events relevant to social IdP auth or OAuth consent operations
| test{
match(idpNorm, /google|facebook|linkedin|twitter|github|slack|yahoo/) or
match(appNorm, /google|facebook|linkedin|twitter|github|slack|yahoo/) or
match(EventType, /(?i)(consent|oauth2permission|delegation|service.principal)/) or
match(Operation, /(?i)(consent|oauth|delegation|serviceprincipal)/)
}
// Composite risk scoring — mirrors KQL and SPL logic
| riskScore := 0
| riskScore := riskScore + if(match(RiskLevelAggregated, /(?i)(high|medium)/), 3, 0)
| riskScore := riskScore + if(match(CountryCode, /^(CN|RU|IR|KP|BY|VE|CU|SY)$/), 2, 0)
| riskScore := riskScore + if(DeviceCompliant != "true", 1, 0)
| riskScore := riskScore + if(TrustType = "", 1, 0)
| riskScore := riskScore + if(IsInteractiveLogin = "false", 1, 0)
| riskScore := riskScore + if(match(RiskEventTypes, /(?i)(anonymizedIPAddress|impossibleTravel|maliciousIPAddress|leakedCredentials|unfamiliarFeatures)/), 3, 0)
| riskScore := riskScore + if(match(scopeField, /Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite|User\.Read\.All|EWS\.AccessAsUser\.All|MailboxSettings\.ReadWrite/), 2, 0)
| riskScore := riskScore + if(consentTypeField = "AllPrincipals", 3, 0)
| riskScore := riskScore + if(consentTypeField = "AllPrincipals" AND match(scopeField, /Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite/), 2, 0)
| where riskScore >= 2
| groupBy(
[UserPrincipalName, idpNorm, appNorm, SourceIPAddress, CountryCode,
RiskLevelAggregated, consentTypeField, scopeField, Operation],
function=[
count(as=EventCount),
max(riskScore, as=MaxRiskScore),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| sort MaxRiskScore descDetects T1586.001 via CrowdStrike Falcon Identity Protection and Falcon Horizon telemetry. Applies the same composite risk scoring model as the KQL and SPL reference queries: social identity provider involvement, high-risk geolocation, device compliance state, non-interactive authentication, anomalous risk event types, high-privilege OAuth scope grants, and tenant-wide admin consent. Requires Falcon Identity Protection or Falcon Horizon configured with Azure AD/O365 data ingestion. Confidence is low because CrowdStrike's native telemetry is endpoint-focused; Azure AD OAuth events require explicit cloud identity integration.
Data Sources
Required Tables
False Positives & Tuning
- Authorized remote workers or executives traveling to high-risk geographic regions for legitimate business who use Google or LinkedIn SSO for corporate application access
- Automated service accounts and CI/CD pipelines performing non-interactive OAuth authentication with broad delegated scopes for approved integrations — these consistently appear as IsInteractiveLogin=false with potentially high-privilege scopes
- Security red team or penetration testing engagements that simulate OAuth phishing against test accounts configured with social IdP federation — coordinate with the red team calendar before tuning suppression
Other platforms for T1586.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate OAuth Consent Grant Following Social Media Phishing Link
Expected signal: Azure AD AuditLogs: OperationName='Add application' showing new app registration with AppName matching df00tech-oauth-test-*. If test user navigates to URL and consents: SigninLogs entry for test user with AppDisplayName matching test app, followed by AuditLogs OperationName='Consent to application' with Scope='Mail.Read Contacts.Read offline_access'. Microsoft Defender for Cloud Apps will generate an OAuth app governance alert if MCAS is configured with tenant OAuth monitoring.
- Test 2Test Anomalous Social Identity Provider Sign-in Detection
Expected signal: Azure AD SigninLogs: entry with IdentityProvider='github' (or Microsoft external identity), UserAgent containing 'Googlebot', DeviceDetail.browser='Other' or unknown classification, DeviceDetail.isCompliant='false' (non-MDM device). Azure AD risk engine may flag as 'unfamiliarFeatures' risk detection, incrementing RiskLevelAggregated. The sign-in will result in a redirect (not a full authentication) but is still captured in logs.
- Test 3Credential Stuffing Simulation Against Social Identity Federated Account
Expected signal: Azure AD SigninLogs: 5 entries with ResultType=50126 (AADSTS50126: Invalid username or password) or 50053 (AADSTS50053: account locked) for TEST_USER within a 20-second window. IPAddress and UserAgent fields match curl defaults. Azure AD Identity Protection may generate 'Password spray' or 'Leaked credentials' risk detection. This simulates the upstream account compromise that precedes T1586.001 use against a victim organization.
- Test 4Corporate Social Media Account Exposure Enumeration (Authorized OSINT)
Expected signal: DNS queries to linkedin.com, github.com from the network running this script — visible in proxy and DNS logs. No authentication events generated against the target organization's Azure AD. GitHub API calls logged in GitHub audit log if an org membership query is made.
References (10)
- https://attack.mitre.org/techniques/T1586/001/
- https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://www.cisa.gov/sites/default/files/publications/AA21-200A.pdf
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Unlock Pro Content
Get the full detection package for T1586.001 including response playbook, investigation guide, and atomic red team tests.