Description
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)
Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery.
Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.
Platforms
Mitigations (2)
AuditM1047
Audit user accounts to ensure that each one has a defined purpose.
User Account ManagementM1018
Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in applica... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: D... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has created accounts disguised as legitimate backup and service accounts as well as an email admini... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to create or enable accounts, such as <code>support_388945a0</code>.(Citation: aptsim) |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0143 | Flame | Malware | [Flame](https://attack.mitre.org/software/S0143) can create backdoor accounts with login `HelpAssistant` on domain connected systems if appropriate ri... |
| S0382 | ServHelper | Malware | [ServHelper](https://attack.mitre.org/software/S0382) has created a new user named `supportaccount`.(Citation: Proofpoint TA505 Jan 2019) |
References
- Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.
- Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.
- John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
- Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
Frequently Asked Questions
What is T1036.010 (Masquerade Account Name)?
T1036.010 is a MITRE ATT&CK technique named 'Masquerade Account Name'. It belongs to the Stealth tactic(s). Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1...
How can T1036.010 be detected?
Detection of T1036.010 (Masquerade Account Name) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.010?
There are 2 documented mitigations for T1036.010. Key mitigations include: Audit, User Account Management.
Which threat groups use T1036.010?
Known threat groups using T1036.010 include: Storm-1811, Magic Hound, Dragonfly, APT3.