Detect Masquerade Account Name in Microsoft Sentinel
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.010 Masquerade Account Name
- Canonical reference
- https://attack.mitre.org/techniques/T1036/010/
KQL Detection Query
let SuspiciousAccountNames = dynamic([
"admin", "administrator", "help", "helpdesk", "HelpAssistant",
"support", "supportaccount", "svc_backup", "svc_sql", "svc_update",
"backup", "backupadmin", "DefaultAccount", "default", "root",
"service", "system", "sysadmin", "dbadmin", "sqladmin",
"guest", "test", "temp", "maintenance", "monitoring"
]);
let NewAccounts = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| extend NewAccountName = tostring(TargetUserName)
| extend CreatorAccount = tostring(SubjectUserName)
| extend NewAccountNameLower = tolower(NewAccountName);
NewAccounts
| where NewAccountNameLower has_any (SuspiciousAccountNames)
or NewAccountNameLower matches regex @"^(svc_|svc-|service|backup|admin|help|support|default|sys)"
or NewAccountNameLower matches regex @"(admin|service|backup|help|support)$"
| extend NameContainsUnderscore = NewAccountName contains "_"
| extend NameContainsNumbers = NewAccountName matches regex @"[0-9]{4,}"
| project TimeGenerated, Computer, EventID, NewAccountName, CreatorAccount,
NewAccountNameLower, NameContainsUnderscore, NameContainsNumbers
| sort by TimeGenerated descDetects creation of new user accounts with names that mimic legitimate service accounts, administrative accounts, or system defaults. Monitors Windows Security Event ID 4720 (User Account Created) and flags accounts matching known suspicious naming patterns used by threat actors including Magic Hound ('help', 'DefaultAccount'), Dragonfly (backup/service accounts), ServHelper ('supportaccount'), APT3 ('support_388945a0'), and Flame ('HelpAssistant'). Uses both exact match against a known-bad list and regex patterns for common service account naming conventions.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately creating service accounts with conventional naming patterns (svc_*, backup*, admin*) during planned software deployments or infrastructure changes
- Automated provisioning systems (SCCM, Ansible, Terraform) creating accounts with templated names during scheduled infrastructure deployments
- Password reset workflows that delete and re-create accounts with the same name as part of account recovery procedures
- Helpdesk or support team accounts legitimately named 'help', 'helpdesk', or 'support' in organizations that use these conventions
Other platforms for T1036.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerade Service Account (Windows)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.
- Test 2Create Masquerade HelpAssistant Account (Flame Pattern)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.
- Test 3Delete and Recreate Account (MOVEit Pattern)
Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.
References (7)
- https://attack.mitre.org/techniques/T1036/010/
- https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
Unlock Pro Content
Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.