type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--6fad7038-4d0f-48c3-937a-7128d4bf0592
revoked : False
technique : Data from Local System
technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--06a1f6f9-0695-47e6-bf1b-363d435d0bb2
revoked : False
technique : Spearphishing via Service
technique_description : Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. 

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--24021025-b5db-4ebb-89cb-49fe5c4d709e
revoked : False
technique : Malicious File
technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--6fc8e3dd-1bb7-4e76-8a8c-9e836f944488
revoked : False
technique : Social Media Accounts
technique_description : Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. 

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1585.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Network Traffic: Network Traffic Content', 'Persona: Social Media']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--6fad7038-4d0f-48c3-937a-7128d4bf0592
revoked : False
technique : Data from Local System
technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--06a1f6f9-0695-47e6-bf1b-363d435d0bb2
revoked : False
technique : Spearphishing via Service
technique_description : Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. 

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--24021025-b5db-4ebb-89cb-49fe5c4d709e
revoked : False
technique : Malicious File
technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2023-01-13T20:51:13.494Z
modified : 2023-04-12T13:21:41.276Z
name : CURIUM
description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
aliases : ['CURIUM']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928
relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
relationship_id : relationship--6fc8e3dd-1bb7-4e76-8a8c-9e836f944488
revoked : False
technique : Social Media Accounts
technique_description : Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. 

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1585.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Network Traffic: Network Traffic Content', 'Persona: Social Media']
----------------------------------------------------------------------------------------------------