Skip to content

T1036.010 Masquerade Account Name

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.3

Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.14 They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”2 Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.

Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.

Item Value
ID T1036.010
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008, T1036.009, T1036.010, T1036.011, T1036.012
Tactics TA0005
Platforms Containers, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Version 1.0
Created 05 August 2024
Last Modified 15 April 2025

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System).13
G0022 APT3 APT3 has been known to create or enable accounts, such as support_388945a0.12
G0035 Dragonfly Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.11
S0143 Flame Flame can create backdoor accounts with login HelpAssistant on domain connected systems if appropriate rights are available.56
G0059 Magic Hound Magic Hound has created local accounts named help and DefaultAccount on compromised machines.910
S0382 ServHelper ServHelper has created a new user named supportaccount.7
G1046 Storm-1811 Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.8

Mitigations

ID Mitigation Description
M1047 Audit Audit user accounts to ensure that each one has a defined purpose.
M1018 User Account Management Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.

References

  1. Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024. 

  2. Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024. 

  3. John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024. 

  4. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023. 

  5. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. 

  6. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017. 

  7. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  8. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025. 

  9. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  10. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  11. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. 

  12. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.