T1036.010 Elastic Security · Elastic

Detect Masquerade Account Name in Elastic Security

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.010 Masquerade Account Name
Canonical reference
https://attack.mitre.org/techniques/T1036/010/

Elastic Detection Query

Elastic Security (Elastic)
eql 
iam where event.code == "4720" and (
  winlog.event_data.TargetUserName in~ ("admin", "administrator", "help", "helpdesk", "helpassistant", "support", "supportaccount", "svc_backup", "svc_sql", "svc_update", "backup", "backupadmin", "defaultaccount", "default", "root", "service", "system", "sysadmin", "dbadmin", "sqladmin", "guest", "test", "temp", "maintenance", "monitoring") or
  winlog.event_data.TargetUserName like~ "svc_*" or
  winlog.event_data.TargetUserName like~ "svc-*" or
  winlog.event_data.TargetUserName like~ "admin*" or
  winlog.event_data.TargetUserName like~ "service*" or
  winlog.event_data.TargetUserName like~ "backup*" or
  winlog.event_data.TargetUserName like~ "help*" or
  winlog.event_data.TargetUserName like~ "support*" or
  winlog.event_data.TargetUserName like~ "default*" or
  winlog.event_data.TargetUserName like~ "sys*" or
  winlog.event_data.TargetUserName like~ "*admin" or
  winlog.event_data.TargetUserName like~ "*service" or
  winlog.event_data.TargetUserName like~ "*backup" or
  winlog.event_data.TargetUserName like~ "*help" or
  winlog.event_data.TargetUserName like~ "*support"
)
medium severity high confidence

Detects creation of Windows local accounts with names masquerading as built-in system accounts, service accounts, or administrative accounts via Windows Security Event ID 4720. Uses case-insensitive list-membership and wildcard matching against known suspicious account name values, common service account prefixes (svc_, service, backup, admin), and administrative naming suffixes. Requires Elastic 8.6+ for in~ and like~ operators.

Data Sources

Windows Security Event Log via Winlogbeat or Elastic AgentWindows host telemetry

Required Tables

winlogbeat-*logs-system.security-*

False Positives & Tuning

  • Enterprise backup software (Veeam, Commvault, Acronis) automatically creating service accounts named 'svc_backup' or 'backupadmin' during installation or initial configuration on Windows servers
  • Database platform installers (Microsoft SQL Server, MySQL, PostgreSQL) that create dedicated service accounts matching 'svc_sql', 'dbadmin', or 'sqladmin' patterns as part of automated first-run setup routines
  • Helpdesk or ITSM platforms (ServiceNow on-prem agents, Zendesk) that provision dedicated support or helpdesk accounts matching monitored naming patterns during standard IT onboarding workflows
Download portable Sigma rule (.yml)

Other platforms for T1036.010

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Masquerade Service Account (Windows)

    Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.

  2. Test 2Create Masquerade HelpAssistant Account (Flame Pattern)

    Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.

  3. Test 3Delete and Recreate Account (MOVEit Pattern)

    Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.

Last updated: 2026-04-17 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1136.001Local AccountT1136.002Domain AccountT1136.003Cloud AccountT1087Account DiscoveryT1531Account Access RemovalT1078Valid AccountsT1656Impersonation

Same Tactic: Defense Evasion

Popular Detections