建立账户是攻击者为实施后续攻击行动创建虚假身份或劫持合法账户的战术手段,通常用于网络钓鱼、命令控制、资源部署等攻击阶段。攻击者通过伪造个人/企业资质在目标信任的平台上注册账户,构建攻击基础设施或社交工程触达渠道。传统防御手段主要通过分析注册信息真实性(如证件验证)、监测异常批量注册行为、核查账户活动一致性等手段进行检测。
为规避传统身份验证机制和异常行为检测,攻击者发展出多维度的账户建立匿迹技术,通过跨平台身份互证、合法服务规则滥用、动态身份画像维护等手法,将恶意账户深度嵌入目标业务生态。这些技术突破单一平台的检测视角,利用数字身份验证体系的碎片化缺陷构建全局可信的伪装身份。
现有匿迹技术的共性在于构建"局部合规、全局恶意"的身份存在形态。跨平台身份关联技术通过多源数据交叉验证突破单一平台的身份审查机制,在微观层面每个账户的注册行为均符合平台规则,却在宏观层面形成协同攻击的账户网络;服务滥用型寄生技术利用商业推广策略的漏洞,将恶意注册隐藏在合法用户增长曲线中,通过资源消耗控制维持账户的"正常用户"表征;自动化身份维护系统则从时间维度解决静态伪造身份的可检测性缺陷,使账户行为轨迹呈现自然演进特征。技术演进呈现出三个趋势:身份要素采集从单向伪造发展为双向数据渗透(即同时利用公开数据构建身份并反向污染公共数据库)、行为模拟从规则驱动升级为AI生成、基础设施依赖从攻击者自建转向公有云服务深度寄生。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过精细化伪造身份材料(如企业证件、法人签名、项目文档)和模拟真实用户行为模式(如社交互动、内容生产),使恶意账户在单个平台的审查维度中呈现合法用户特征。利用跨平台身份互证机制构建全局可信身份网络,实现账户集群的"表面合规化"伪装。
在账户创建与维护过程中,攻击者使用加密通信通道传输敏感操作指令(如证件图片上传、多因素认证令牌同步),并通过云服务商提供的合法数据加密功能隐藏账户控制端的元数据。部分高级别攻击采用区块链存储身份要素碎片,进一步增加数据溯源的复杂度。
通过全球分布式节点实施注册行为的地理位置解耦,将账户创建活动分散在不同司法管辖区域的网络流量中。采用长周期身份培养策略,将账户的恶意操作阶段与注册阶段进行时间维度隔离,使得攻击特征被稀释在平台正常用户的生命周期管理中。
| ID | Name | Description |
|---|---|---|
| G0025 | APT17 |
APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.[1] |
| G1003 | Ember Bear |
Ember Bear has created accounts on dark web forums to obtain various tools and malware.[2] |
| G0117 | Fox Kitten |
Fox Kitten has created KeyBase accounts to communicate with ransomware victims.[3][4] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
| DS0021 | Persona | Social Media |
Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing). |