T1036.010 Masquerade Account Name Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousAccountNames = dynamic([
  "admin", "administrator", "help", "helpdesk", "HelpAssistant",
  "support", "supportaccount", "svc_backup", "svc_sql", "svc_update",
  "backup", "backupadmin", "DefaultAccount", "default", "root",
  "service", "system", "sysadmin", "dbadmin", "sqladmin",
  "guest", "test", "temp", "maintenance", "monitoring"
]);
let NewAccounts = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| extend NewAccountName = tostring(TargetUserName)
| extend CreatorAccount = tostring(SubjectUserName)
| extend NewAccountNameLower = tolower(NewAccountName);
NewAccounts
| where NewAccountNameLower has_any (SuspiciousAccountNames)
   or NewAccountNameLower matches regex @"^(svc_|svc-|service|backup|admin|help|support|default|sys)"
   or NewAccountNameLower matches regex @"(admin|service|backup|help|support)$"
| extend NameContainsUnderscore = NewAccountName contains "_"
| extend NameContainsNumbers = NewAccountName matches regex @"[0-9]{4,}"
| project TimeGenerated, Computer, EventID, NewAccountName, CreatorAccount,
         NewAccountNameLower, NameContainsUnderscore, NameContainsNumbers
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

User Account: User Account Creation Windows Security Event Log Active Directory

Required Tables

SecurityEvent

False Positives

IT administrators legitimately creating service accounts with conventional naming patterns (svc_*, backup*, admin*) during planned software deployments or infrastructure changes
Automated provisioning systems (SCCM, Ansible, Terraform) creating accounts with templated names during scheduled infrastructure deployments
Password reset workflows that delete and re-create accounts with the same name as part of account recovery procedures
Helpdesk or support team accounts legitimately named 'help', 'helpdesk', or 'support' in organizations that use these conventions

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| eval NewAccount=lower(TargetUserName)
| eval suspicious_pattern=if(match(NewAccount, "^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring|svc_.*|svc-.*)"), 1, 0)
| eval suspicious_suffix=if(match(NewAccount, "(admin|service|backup|help|support)$"), 1, 0)
| eval has_random_suffix=if(match(NewAccount, "[a-z]+_[0-9a-f]{6,}"), 1, 0)
| eval SuspicionScore=suspicious_pattern + suspicious_suffix + has_random_suffix
| where SuspicionScore > 0
| table _time, host, SubjectUserName, TargetUserName, NewAccount, suspicious_pattern, suspicious_suffix, has_random_suffix, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

User Account: User Account Creation Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

IT administrators creating service accounts with conventional naming patterns during planned deployments
Automated provisioning systems creating templated accounts during infrastructure changes
Password reset workflows that recreate accounts with the same name
Organizations that legitimately use 'help', 'support', or 'admin' as account naming conventions

Elastic Security (EQL)

eql

iam where event.code == "4720" and (
  winlog.event_data.TargetUserName in~ ("admin", "administrator", "help", "helpdesk", "helpassistant", "support", "supportaccount", "svc_backup", "svc_sql", "svc_update", "backup", "backupadmin", "defaultaccount", "default", "root", "service", "system", "sysadmin", "dbadmin", "sqladmin", "guest", "test", "temp", "maintenance", "monitoring") or
  winlog.event_data.TargetUserName like~ "svc_*" or
  winlog.event_data.TargetUserName like~ "svc-*" or
  winlog.event_data.TargetUserName like~ "admin*" or
  winlog.event_data.TargetUserName like~ "service*" or
  winlog.event_data.TargetUserName like~ "backup*" or
  winlog.event_data.TargetUserName like~ "help*" or
  winlog.event_data.TargetUserName like~ "support*" or
  winlog.event_data.TargetUserName like~ "default*" or
  winlog.event_data.TargetUserName like~ "sys*" or
  winlog.event_data.TargetUserName like~ "*admin" or
  winlog.event_data.TargetUserName like~ "*service" or
  winlog.event_data.TargetUserName like~ "*backup" or
  winlog.event_data.TargetUserName like~ "*help" or
  winlog.event_data.TargetUserName like~ "*support"
)

medium severity high confidence

Data Sources

Windows Security Event Log via Winlogbeat or Elastic Agent Windows host telemetry

Required Tables

winlogbeat-* logs-system.security-*

False Positives

Enterprise backup software (Veeam, Commvault, Acronis) automatically creating service accounts named 'svc_backup' or 'backupadmin' during installation or initial configuration on Windows servers
Database platform installers (Microsoft SQL Server, MySQL, PostgreSQL) that create dedicated service accounts matching 'svc_sql', 'dbadmin', or 'sqladmin' patterns as part of automated first-run setup routines
Helpdesk or ITSM platforms (ServiceNow on-prem agents, Zendesk) that provision dedicated support or helpdesk accounts matching monitored naming patterns during standard IT onboarding workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceHost,
  username AS NewAccountName,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE (devicetype = 12 OR LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%')
  AND QIDNAME(qid) ILIKE '%user account was created%'
  AND (
    LOWER(username) IN (
      'admin', 'administrator', 'help', 'helpdesk', 'helpassistant',
      'support', 'supportaccount', 'svc_backup', 'svc_sql', 'svc_update',
      'backup', 'backupadmin', 'defaultaccount', 'default', 'root',
      'service', 'system', 'sysadmin', 'dbadmin', 'sqladmin',
      'guest', 'test', 'temp', 'maintenance', 'monitoring'
    )
    OR LOWER(username) MATCHES '^(svc_|svc-|service|backup|admin|help|support|default|sys)'
    OR LOWER(username) MATCHES '(admin|service|backup|help|support)$'
  )
ORDER BY starttime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log QRadar log source with devicetype=12 (Windows Security Event Log)

Required Tables

events

False Positives

Legitimate software deployment pipelines (SCCM, Intune, Puppet) that automatically create service accounts with naming patterns like 'svc_update' or 'svc_backup' during managed software installation and patch management across the fleet
Active Directory provisioning workflows that bulk-create accounts following organizational naming standards using 'svc_' prefixes for all service accounts, generating alerts across multiple hosts simultaneously during provisioning windows
Authorized penetration testing or red team engagements that intentionally create accounts with suspicious names as part of scoped attack simulations — validate against change management calendar and current SOC advisory before escalating

Sumo Logic CSE

sql

_sourceCategory=*windows*security* (EventCode=4720 OR EventID=4720)
| parse regex "TargetUserName\s*:\s*(?<NewAccount>\S+)" nodrop
| parse regex "SubjectUserName\s*:\s*(?<CreatorAccount>\S+)" nodrop
| where !isNull(NewAccount)
| eval NewAccount = toLower(trim(NewAccount))
| where NewAccount in ("admin", "administrator", "help", "helpdesk", "helpassistant", "support", "supportaccount", "svc_backup", "svc_sql", "svc_update", "backup", "backupadmin", "defaultaccount", "default", "root", "service", "system", "sysadmin", "dbadmin", "sqladmin", "guest", "test", "temp", "maintenance", "monitoring") OR NewAccount =~ "^(svc_|svc-|service|backup|admin|help|support|default|sys).*" OR NewAccount =~ ".*(admin|service|backup|help|support)$"
| eval SuspiciousPrefix = if(NewAccount =~ "^(svc_|svc-|service|backup|admin|help|support|default|sys).*", "true", "false")
| eval SuspiciousSuffix = if(NewAccount =~ ".*(admin|service|backup|help|support)$", "true", "false")
| eval HasRandomSuffix = if(NewAccount =~ "[a-z]+_[0-9a-f]{6,}", "true", "false")
| eval SuspicionScore = if(SuspiciousPrefix="true",1,0) + if(SuspiciousSuffix="true",1,0) + if(HasRandomSuffix="true",1,0)
| fields _messagetime, _sourcehost, CreatorAccount, NewAccount, SuspiciousPrefix, SuspiciousSuffix, HasRandomSuffix, SuspicionScore
| sort by _messagetime desc

medium severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Windows Event Log source configured for the Security channel

Required Tables

_sourceCategory=*windows*security*

False Positives

Infrastructure automation tools (Ansible, Terraform, Chef) that create service accounts with standardized naming conventions such as 'svc_update' or 'monitoring' during provisioning of new servers or cloud instances as part of infrastructure-as-code pipelines
Third-party monitoring and observability agents (Datadog, New Relic, PRTG, Zabbix) that install service accounts named 'monitoring' or using 'svc_' prefixes during agent deployment across managed endpoints
Temporary test accounts created by developers or QA engineers with names like 'test', 'temp', or 'testadmin' during development, staging, or load testing activities that are not promptly removed after the activity concludes

Google Chronicle / SecOps

yaral

rule masquerade_account_name_t1036_010 {
  meta:
    author = "Detection Engineering"
    description = "Detects creation of accounts with names masquerading as legitimate system, service, or administrative accounts (MITRE ATT&CK T1036.010)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.010"
    severity = "HIGH"
    priority = "HIGH"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "USER_CREATION"
    (
      re.regex($e.target.user.userid, `(?i)^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|svc_backup|svc_sql|svc_update|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring)$`) or
      re.regex($e.target.user.userid, `(?i)^(svc_|svc-|service|backup|admin|help|support|default|sys)`) or
      re.regex($e.target.user.userid, `(?i)(admin|service|backup|help|support)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Security Event Log ingested into Chronicle Any Chronicle-supported log source that maps account creation events to USER_CREATION UDM event type

Required Tables

UDM events with metadata.event_type = USER_CREATION

False Positives

Software installers that programmatically create service accounts during first-run setup (e.g., SQL Server creating 'sqladmin', Veeam creating 'svc_backup') appearing as USER_CREATION UDM events without supporting context about the installer process
Cloud infrastructure provisioning workflows (GCP, AWS, Azure) that create default service accounts using generic names such as 'admin', 'service', or 'default' when deploying new workloads or Kubernetes cluster nodes
Directory synchronization processes (Azure AD Connect, Google Workspace Directory Sync) that replicate existing account names from on-premises Active Directory into cloud directories, generating USER_CREATION UDM events for accounts already established in the source system

CrowdStrike LogScale (CQL)

cql

// Requires Windows Security Event Log ingestion into Falcon LogScale
EventCode=4720
| regex(field=TargetUserName, regex="(?i)(^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|svc_backup|svc_sql|svc_update|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring)$|^(svc_|svc-|service|backup|admin|help|support|default|sys)|(admin|service|backup|help|support)$)")
| eval(SuspiciousPrefix=if(TargetUserName=~/(?i)^(svc_|svc-|service|backup|admin|help|support|default|sys)/, 1, 0))
| eval(SuspiciousSuffix=if(TargetUserName=~/(?i)(admin|service|backup|help|support)$/, 1, 0))
| eval(HasRandomSuffix=if(TargetUserName=~/[a-z]+_[0-9a-f]{6,}/, 1, 0))
| eval(SuspicionScore=SuspiciousPrefix + SuspiciousSuffix + HasRandomSuffix)
| table([@timestamp, ComputerName, SubjectUserName, TargetUserName, SuspiciousPrefix, SuspiciousSuffix, HasRandomSuffix, SuspicionScore])
| sort(field=@timestamp, order=desc)

medium severity medium confidence

Data Sources

Windows Security Event Log ingested into CrowdStrike Falcon LogScale Falcon LogScale repository with Windows Security event data (requires log ingestion configuration)

Required Tables

Windows Security Event Log data with EventCode, TargetUserName, SubjectUserName, and ComputerName fields

False Positives

Enterprise backup or patch management solutions (Veeam, WSUS, SCCM) that create service accounts named 'svc_backup' or 'svc_update' automatically during installation or scheduled maintenance windows without a preceding change request
IT operations teams provisioning monitoring infrastructure that deploy accounts named 'monitoring', 'sysadmin', or 'maintenance' for dedicated observability or endpoint management tooling across managed hosts
Authorized red team or penetration testing activities that intentionally create accounts with suspicious names as part of a scoped engagement — validate against current change management records or active SOC advisory before escalating the alert

Masquerade Account Name

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections