Detect Masquerade Account Name in Google Chronicle
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.010 Masquerade Account Name
- Canonical reference
- https://attack.mitre.org/techniques/T1036/010/
YARA-L Detection Query
rule masquerade_account_name_t1036_010 {
meta:
author = "Detection Engineering"
description = "Detects creation of accounts with names masquerading as legitimate system, service, or administrative accounts (MITRE ATT&CK T1036.010)"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1036.010"
severity = "HIGH"
priority = "HIGH"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e.metadata.event_type = "USER_CREATION"
(
re.regex($e.target.user.userid, `(?i)^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|svc_backup|svc_sql|svc_update|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring)$`) or
re.regex($e.target.user.userid, `(?i)^(svc_|svc-|service|backup|admin|help|support|default|sys)`) or
re.regex($e.target.user.userid, `(?i)(admin|service|backup|help|support)$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule that detects creation of user accounts with names masquerading as legitimate built-in, service, or administrative accounts. Monitors USER_CREATION events across all ingested log sources via the Chronicle UDM and applies three case-insensitive regex conditions: exact match against a known suspicious name list, prefix pattern match (svc_, svc-, service, backup, admin, help, support, default, sys), and suffix pattern match (admin, service, backup, help, support). Fires on any single match.
Data Sources
Required Tables
False Positives & Tuning
- Software installers that programmatically create service accounts during first-run setup (e.g., SQL Server creating 'sqladmin', Veeam creating 'svc_backup') appearing as USER_CREATION UDM events without supporting context about the installer process
- Cloud infrastructure provisioning workflows (GCP, AWS, Azure) that create default service accounts using generic names such as 'admin', 'service', or 'default' when deploying new workloads or Kubernetes cluster nodes
- Directory synchronization processes (Azure AD Connect, Google Workspace Directory Sync) that replicate existing account names from on-premises Active Directory into cloud directories, generating USER_CREATION UDM events for accounts already established in the source system
Other platforms for T1036.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerade Service Account (Windows)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.
- Test 2Create Masquerade HelpAssistant Account (Flame Pattern)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.
- Test 3Delete and Recreate Account (MOVEit Pattern)
Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.
References (7)
- https://attack.mitre.org/techniques/T1036/010/
- https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
Unlock Pro Content
Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.