Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.[1]
Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.[2][3] They may also give accounts generic, trustworthy names, such as "admin", "help", or "root."[4] Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System).[5] |
| G0022 | APT3 |
APT3 has been known to create or enable accounts, such as |
| G0035 | Dragonfly |
Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.[7] |
| S0143 | Flame |
Flame can create backdoor accounts with login |
| G0059 | Magic Hound |
Magic Hound has created local accounts named |
| S0382 | ServHelper |
ServHelper has created a new user named |
| G1046 | Storm-1811 |
Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.[13] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Audit user accounts to ensure that each one has a defined purpose. |
| M1018 | User Account Management |
Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0383 | Detection Strategy for Masquerading via Account Name Similarity | AN1077 |
Detects adversary behavior where a newly created or renamed user account closely resembles existing service or administrator accounts to blend in and avoid detection. Common patterns include prefix/suffix modifications, homoglyphs, or use of names like 'admin1', 'adm1n', or 'backup_help'. |
| AN1078 |
Detects creation or renaming of accounts with names that closely match known service, root, or admin accounts. Behavior often follows account discovery or deletion, attempting to blend into system activity logs using trusted name conventions. |
||
| AN1079 |
Detects adversary creation of cloud or IdP accounts whose names resemble existing privileged or service accounts. May indicate preparation for privilege escalation or defense evasion. |
||
| AN1080 |
Monitors for the creation of accounts inside containers using names that resemble legitimate orchestrator or backup identities to mask adversary persistence. |