Masquerading: Masquerade Account Name

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.[1]

Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.[2][3] They may also give accounts generic, trustworthy names, such as "admin", "help", or "root."[4] Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.

Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.

ID: T1036.010
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Containers, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Menachem Goldstein
Version: 1.0
Created: 05 August 2024
Last Modified: 17 October 2024

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System).[5]

G0022 APT3

APT3 has been known to create or enable accounts, such as support_388945a0.[6]

G0035 Dragonfly

Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.[7]

S0143 Flame

Flame can create backdoor accounts with login HelpAssistant on domain connected systems if appropriate rights are available.[8][9]

G0059 Magic Hound

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[10][11]

S0382 ServHelper

ServHelper has created a new user named supportaccount.[12]

Mitigations

ID Mitigation Description
M1047 Audit

Audit user accounts to ensure that each one has a defined purpose.

M1018 User Account Management

Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.

Detection

ID Data Source Data Component Detects
DS0002 User Account User Account Creation

Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.

References