Skip to content

DET0383 Detection Strategy for Masquerading via Account Name Similarity

Item Value
ID DET0383
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1036.010 (Masquerade Account Name)

Analytics

Windows

AN1077

Detects adversary behavior where a newly created or renamed user account closely resembles existing service or administrator accounts to blend in and avoid detection. Common patterns include prefix/suffix modifications, homoglyphs, or use of names like ‘admin1’, ‘adm1n’, or ‘backup_help’.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) WinEventLog:Security EventCode=4720
User Account Metadata (DC0013) windows:osquery User enumeration with creation/last modified timestamps
Mutable Elements
Field Description
SimilarityThreshold Defines how close in Levenshtein or visual distance an account name must be to a legitimate one to raise an alert.
MonitoredAccountList Set of known legitimate accounts to compare new account names against.
TimeWindow Period within which anomalous account creation or renaming is evaluated in relation to discovery or deletion activity.

Linux

AN1078

Detects creation or renaming of accounts with names that closely match known service, root, or admin accounts. Behavior often follows account discovery or deletion, attempting to blend into system activity logs using trusted name conventions.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) auditd:SYSCALL adduser
User Account Modification (DC0010) auditd:SYSCALL usermod, or account rename system calls
User Account Metadata (DC0013) linux:osquery Listing of /etc/passwd and /etc/shadow metadata
Mutable Elements
Field Description
AllowedSystemAccounts Whitelist of legitimate service accounts used for validation.
LevenshteinThreshold Edit distance sensitivity between created account and existing account names.
ScriptInitiatorDetection Whether to flag account creation events triggered from suspicious scripts or shell histories.

Identity Provider

AN1079

Detects adversary creation of cloud or IdP accounts whose names resemble existing privileged or service accounts. May indicate preparation for privilege escalation or defense evasion.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) azure:audit Add user
User Account Modification (DC0010) azure:audit Rename user
User Account Metadata (DC0013) saas:okta User lifecycle events
Mutable Elements
Field Description
RoleScope Whether created users have privileged or scoped roles assigned at creation.
NamingHeuristics Regex patterns or heuristics for detecting suspicious naming conventions (e.g., helpdesk_support_, root-admin).

Containers

AN1080

Monitors for the creation of accounts inside containers using names that resemble legitimate orchestrator or backup identities to mask adversary persistence.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) docker:daemon ExecCreate + usermod or useradd
Mutable Elements
Field Description
ContainerContextScope Limit detection to containers with persistent volumes or specific workloads
MasqueradePatternList Custom list of commonly abused names to blend into container environments (e.g., kubelet, cronjob_sync)