DISARMframeworks/generated_pages/techniques/T0141.001.md

# Technique T0141.001: Acquire Compromised Account

* **Summary**: Threat Actors can take over existing users’ accounts to distribute campaign content. 

The actor may maintain the asset’s previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.

The actor may completely rebrand the account to exploit its existing reach, or relying on the account’s history to avoid more stringent automated content moderation rules applied to new accounts.

See also [Mitre ATT&CK’s T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.

This Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.

* **Belongs to tactic stage**: TA15


| Incident | Descriptions given for this incident |
| -------- | -------------------- |
| [I00065 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests](../../generated_pages/incidents/I00065.md) | > Overall, narratives promoted in the five operations appear to represent a concerted effort to discredit the ruling political coalition, widen existing domestic political divisions and project an image of coalition disunity in Poland. In each incident, content was primarily disseminated via Twitter, Facebook, and/ or Instagram accounts belonging to Polish politicians, all of whom have publicly claimed their accounts were compromised at the times the posts were made.  

This example demonstrates how threat actors can use _T0141.001: Acquire Compromised Account_ to distribute inauthentic content while exploiting the legitimate account holder’s persona. |



| Counters | Response types |
| -------- | -------------- |


DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW