title: Masquerade Account Name (T1036.010)
id: df00tech-t1036-010
status: experimental
description: "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management. They may also give accounts generic, trustworthy names, such as 'admin', 'help', or 'root.' Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery."
references:
  - https://attack.mitre.org/techniques/T1036/010/
  - https://df00tech.com/detections/T1036.010
author: df00tech
date: 2026/04/17
tags:
  - attack.t1036.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators legitimately creating service accounts with conventional naming patterns (svc_*, backup*, admin*) during planned software deployments or infrastructure changes"
  - "Automated provisioning systems (SCCM, Ansible, Terraform) creating accounts with templated names during scheduled infrastructure deployments"
  - Password reset workflows that delete and re-create accounts with the same name as part of account recovery procedures
  - "Helpdesk or support team accounts legitimately named 'help', 'helpdesk', or 'support' in organizations that use these conventions"
level: high