Counter C00043: Detect hijacked accounts and reallocate them

Summary:
Playbooks: In all playbooks the platform must force user verification, credential reset and enable MFA. Suspend the account if it cannot be verified. Playbook 1: Use sites like https://haveibeenpwned.com to detect compromised and at risk user accounts. Playbook 2: Monitor for unusual account usage (use of VPN, new geographic location, unusual usage hours, etc). Playbook 3: Detect sudden deviation in user sentiment such as suddenly dropping hashtags linked to extremist content. Playbook 4: Purchase "likes", "retweets" and other vehicles which identify a bot and/or hijacked account. Ban the account. Playbook 5: Detect hijacked account and spam their posts. "OP is a known disinformation bot. http://link.to.proof[.]com"
Metatechnique: M012 - cleaning
Resources needed: R003 - money
Belongs to tactic stage: TA03

Counters these Tactics

Counters these Techniques
T0011 Hijack legitimate account

Seen in incidents

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW