T1036.010 Splunk · SPL

Detect Masquerade Account Name in Splunk

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.010 Masquerade Account Name
Canonical reference
https://attack.mitre.org/techniques/T1036/010/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| eval NewAccount=lower(TargetUserName)
| eval suspicious_pattern=if(match(NewAccount, "^(admin|administrator|help|helpdesk|helpassistant|support|supportaccount|backup|backupadmin|defaultaccount|default|root|service|system|sysadmin|dbadmin|sqladmin|guest|test|temp|maintenance|monitoring|svc_.*|svc-.*)"), 1, 0)
| eval suspicious_suffix=if(match(NewAccount, "(admin|service|backup|help|support)$"), 1, 0)
| eval has_random_suffix=if(match(NewAccount, "[a-z]+_[0-9a-f]{6,}"), 1, 0)
| eval SuspicionScore=suspicious_pattern + suspicious_suffix + has_random_suffix
| where SuspicionScore > 0
| table _time, host, SubjectUserName, TargetUserName, NewAccount, suspicious_pattern, suspicious_suffix, has_random_suffix, SuspicionScore
| sort - _time
high severity medium confidence

Detects creation of user accounts with suspicious names using Windows Security Event ID 4720 (User Account Created). Assigns a suspicion score based on multiple indicators: matching known masquerade patterns (service account names, administrative names, system defaults), suspicious suffixes, and random hexadecimal suffixes (e.g., support_388945a0 as used by APT3). Higher scores indicate stronger confidence that the account name is designed to blend in with legitimate accounts.

Data Sources

User Account: User Account CreationWindows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • IT administrators creating service accounts with conventional naming patterns during planned deployments
  • Automated provisioning systems creating templated accounts during infrastructure changes
  • Password reset workflows that recreate accounts with the same name
  • Organizations that legitimately use 'help', 'support', or 'admin' as account naming conventions
Download portable Sigma rule (.yml)

Other platforms for T1036.010

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Masquerade Service Account (Windows)

    Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.

  2. Test 2Create Masquerade HelpAssistant Account (Flame Pattern)

    Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.

  3. Test 3Delete and Recreate Account (MOVEit Pattern)

    Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.

Last updated: 2026-04-17 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1136.001Local AccountT1136.002Domain AccountT1136.003Cloud AccountT1087Account DiscoveryT1531Account Access RemovalT1078Valid AccountsT1656Impersonation

Same Tactic: Defense Evasion

Popular Detections