1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Masquerade Account Name

Masquerading: Masquerade Account Name

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename System Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension
T1036.008 Masquerade File Type
T1036.009 Break Process Trees
T1036.010 Masquerade Account Name

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.[1]

Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.[2][3] They may also give accounts generic, trustworthy names, such as "admin", "help", or "root."[4] Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.

Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.

ID: T1036.010
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Containers, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Menachem Goldstein
Version: 1.0
Created: 05 August 2024
Last Modified: 17 October 2024
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System).[5]
G0022 APT3

APT3 has been known to create or enable accounts, such as support_388945a0.[6]
G0035 Dragonfly

Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.[7]
S0143 Flame

Flame can create backdoor accounts with login HelpAssistant on domain connected systems if appropriate rights are available.[8][9]
G0059 Magic Hound

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[10][11]
S0382 ServHelper

ServHelper has created a new user named supportaccount.[12]

Mitigations

ID Mitigation Description
M1047 Audit

Audit user accounts to ensure that each one has a defined purpose.

M1018 User Account Management

Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.

Detection

ID Data Source Data Component Detects
DS0002 User Account User Account Creation

Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.

References

  1. John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
  2. Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.
  3. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
  4. Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.
  5. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  6. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  3. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  6. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.