Detect Masquerade Account Name in CrowdStrike LogScale
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.010 Masquerade Account Name
- Canonical reference
- https://attack.mitre.org/techniques/T1036/010/
LogScale Detection Query
// Requires Windows Security Event Log ingestion into Falcon LogScale
EventCode=4720
| regex(field=TargetUserName, regex="(?i)(^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|svc_backup|svc_sql|svc_update|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring)$|^(svc_|svc-|service|backup|admin|help|support|default|sys)|(admin|service|backup|help|support)$)")
| eval(SuspiciousPrefix=if(TargetUserName=~/(?i)^(svc_|svc-|service|backup|admin|help|support|default|sys)/, 1, 0))
| eval(SuspiciousSuffix=if(TargetUserName=~/(?i)(admin|service|backup|help|support)$/, 1, 0))
| eval(HasRandomSuffix=if(TargetUserName=~/[a-z]+_[0-9a-f]{6,}/, 1, 0))
| eval(SuspicionScore=SuspiciousPrefix + SuspiciousSuffix + HasRandomSuffix)
| table([@timestamp, ComputerName, SubjectUserName, TargetUserName, SuspiciousPrefix, SuspiciousSuffix, HasRandomSuffix, SuspicionScore])
| sort(field=@timestamp, order=desc)CrowdStrike Falcon LogScale (CQL) query that detects creation of Windows local accounts with suspicious masquerading names. Requires Windows Security Event Log (EventCode 4720) to be ingested into the Falcon LogScale repository — this is not a native Falcon EDR telemetry event. Applies a combined case-insensitive regex filter then assigns a numeric suspicion score (0-3) per event based on prefix pattern, suffix pattern, and random hex-suffix detection, enabling priority triage of the most suspicious account creation events.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup or patch management solutions (Veeam, WSUS, SCCM) that create service accounts named 'svc_backup' or 'svc_update' automatically during installation or scheduled maintenance windows without a preceding change request
- IT operations teams provisioning monitoring infrastructure that deploy accounts named 'monitoring', 'sysadmin', or 'maintenance' for dedicated observability or endpoint management tooling across managed hosts
- Authorized red team or penetration testing activities that intentionally create accounts with suspicious names as part of a scoped engagement — validate against current change management records or active SOC advisory before escalating the alert
Other platforms for T1036.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerade Service Account (Windows)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.
- Test 2Create Masquerade HelpAssistant Account (Flame Pattern)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.
- Test 3Delete and Recreate Account (MOVEit Pattern)
Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.
References (7)
- https://attack.mitre.org/techniques/T1036/010/
- https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
Unlock Pro Content
Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.