Detect Masquerade Account Name in IBM QRadar
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.010 Masquerade Account Name
- Canonical reference
- https://attack.mitre.org/techniques/T1036/010/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS SourceHost,
username AS NewAccountName,
CATEGORYNAME(category) AS EventCategory
FROM events
WHERE (devicetype = 12 OR LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%')
AND QIDNAME(qid) ILIKE '%user account was created%'
AND (
LOWER(username) IN (
'admin', 'administrator', 'help', 'helpdesk', 'helpassistant',
'support', 'supportaccount', 'svc_backup', 'svc_sql', 'svc_update',
'backup', 'backupadmin', 'defaultaccount', 'default', 'root',
'service', 'system', 'sysadmin', 'dbadmin', 'sqladmin',
'guest', 'test', 'temp', 'maintenance', 'monitoring'
)
OR LOWER(username) MATCHES '^(svc_|svc-|service|backup|admin|help|support|default|sys)'
OR LOWER(username) MATCHES '(admin|service|backup|help|support)$'
)
ORDER BY starttime DESC
LAST 24 HOURSDetects creation of Windows local accounts with names masquerading as legitimate system or service accounts. Queries QRadar's normalized events table for Windows Security Event 4720 (user account created) and applies case-insensitive pattern matching on the normalized username field against known suspicious name exact values, common service account prefixes (svc_, svc-, service, backup, admin), and administrative naming suffixes. devicetype=12 targets the Microsoft Windows Security Event Log log source type.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software deployment pipelines (SCCM, Intune, Puppet) that automatically create service accounts with naming patterns like 'svc_update' or 'svc_backup' during managed software installation and patch management across the fleet
- Active Directory provisioning workflows that bulk-create accounts following organizational naming standards using 'svc_' prefixes for all service accounts, generating alerts across multiple hosts simultaneously during provisioning windows
- Authorized penetration testing or red team engagements that intentionally create accounts with suspicious names as part of scoped attack simulations — validate against change management calendar and current SOC advisory before escalating
Other platforms for T1036.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerade Service Account (Windows)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.
- Test 2Create Masquerade HelpAssistant Account (Flame Pattern)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.
- Test 3Delete and Recreate Account (MOVEit Pattern)
Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.
References (7)
- https://attack.mitre.org/techniques/T1036/010/
- https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
Unlock Pro Content
Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.