Detect Masquerade Account Name in Sumo Logic CSE
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.010 Masquerade Account Name
- Canonical reference
- https://attack.mitre.org/techniques/T1036/010/
Sumo Detection Query
_sourceCategory=*windows*security* (EventCode=4720 OR EventID=4720)
| parse regex "TargetUserName\s*:\s*(?<NewAccount>\S+)" nodrop
| parse regex "SubjectUserName\s*:\s*(?<CreatorAccount>\S+)" nodrop
| where !isNull(NewAccount)
| eval NewAccount = toLower(trim(NewAccount))
| where NewAccount in ("admin", "administrator", "help", "helpdesk", "helpassistant", "support", "supportaccount", "svc_backup", "svc_sql", "svc_update", "backup", "backupadmin", "defaultaccount", "default", "root", "service", "system", "sysadmin", "dbadmin", "sqladmin", "guest", "test", "temp", "maintenance", "monitoring") OR NewAccount =~ "^(svc_|svc-|service|backup|admin|help|support|default|sys).*" OR NewAccount =~ ".*(admin|service|backup|help|support)$"
| eval SuspiciousPrefix = if(NewAccount =~ "^(svc_|svc-|service|backup|admin|help|support|default|sys).*", "true", "false")
| eval SuspiciousSuffix = if(NewAccount =~ ".*(admin|service|backup|help|support)$", "true", "false")
| eval HasRandomSuffix = if(NewAccount =~ "[a-z]+_[0-9a-f]{6,}", "true", "false")
| eval SuspicionScore = if(SuspiciousPrefix="true",1,0) + if(SuspiciousSuffix="true",1,0) + if(HasRandomSuffix="true",1,0)
| fields _messagetime, _sourcehost, CreatorAccount, NewAccount, SuspiciousPrefix, SuspiciousSuffix, HasRandomSuffix, SuspicionScore
| sort by _messagetime descDetects creation of Windows local accounts with names masquerading as legitimate system or service accounts. Parses Windows Security Event 4720 from Sumo Logic ingested logs using regex extraction, normalizes account names to lowercase, and applies multi-pattern matching including exact name values, common service account prefixes, and administrative naming suffixes. Computes a per-event suspicion score (0-3) based on prefix, suffix, and random-hex-suffix signals.
Data Sources
Required Tables
False Positives & Tuning
- Infrastructure automation tools (Ansible, Terraform, Chef) that create service accounts with standardized naming conventions such as 'svc_update' or 'monitoring' during provisioning of new servers or cloud instances as part of infrastructure-as-code pipelines
- Third-party monitoring and observability agents (Datadog, New Relic, PRTG, Zabbix) that install service accounts named 'monitoring' or using 'svc_' prefixes during agent deployment across managed endpoints
- Temporary test accounts created by developers or QA engineers with names like 'test', 'temp', or 'testadmin' during development, staging, or load testing activities that are not promptly removed after the activity concludes
Other platforms for T1036.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerade Service Account (Windows)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='svc_backup'. Event ID 4722: Account Enabled. Event ID 4738: Account attributes changed (comment field set). Process creation event for net.exe with 'user svc_backup /add' in command line.
- Test 2Create Masquerade HelpAssistant Account (Flame Pattern)
Expected signal: Windows Security Event ID 4720: User Account Created with TargetUserName='HelpAssistant'. Event ID 4732: Member Added to Local Group ('Remote Desktop Users'). Process creation events for net.exe with both user creation and group addition commands.
- Test 3Delete and Recreate Account (MOVEit Pattern)
Expected signal: Windows Security Event ID 4720: First account creation. Event ID 4726: Account deletion. Event ID 4720: Second account creation with same name. The time delta between deletion (4726) and recreation (4720) will be approximately 2 seconds, well within the 60-minute hunting window.
References (7)
- https://attack.mitre.org/techniques/T1036/010/
- https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
Unlock Pro Content
Get the full detection package for T1036.010 including response playbook, investigation guide, and atomic red team tests.