MITRE ATT&CK Technique
Description
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023) Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-08-05T21:39:16.274Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may match or approximate the names of legitimate '
'accounts to make newly created ones appear benign. This will '
'typically occur during [Create '
'Account](https://attack.mitre.org/techniques/T1136), although '
'accounts may also be renamed at a later date. This may also '
'coincide with [Account Access '
'Removal](https://attack.mitre.org/techniques/T1531) if the '
'actor first deletes an account before re-creating one with '
'the same name.(Citation: Huntress MOVEit 2023)\n'
'\n'
'Often, adversaries will attempt to masquerade as service '
'accounts, such as those associated with legitimate software, '
'data backups, or container cluster management.(Citation: '
'Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes '
'Attack 2023) They may also give accounts generic, trustworthy '
'names, such as “admin”, “help”, or “root.”(Citation: Invictus '
'IR Cloud Ransomware 2024) Sometimes adversaries may model '
'account names off of those already existing in the system, as '
'a follow-on behavior to [Account '
'Discovery](https://attack.mitre.org/techniques/T1087). \n'
'\n'
'Note that this is distinct from '
'[Impersonation](https://attack.mitre.org/techniques/T1656), '
'which describes impersonating specific trusted individuals or '
'organizations, rather than user or service account names. ',
'external_references': [{'external_id': 'T1036.010',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1036/010'},
{'description': 'Daniel Stepanic, Derek Ditch, Seth '
'Goodwin, Salim Bitam, Andrew Pease. '
'(2022, September 7). CUBA Ransomware '
'Campaign Analysis. Retrieved August '
'5, 2024.',
'source_name': 'Elastic CUBA Ransomware 2022',
'url': 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis'},
{'description': 'Invictus IR. (2024, January 11). '
'Ransomware in the cloud. Retrieved '
'August 5, 2024.',
'source_name': 'Invictus IR Cloud Ransomware 2024',
'url': 'https://www.invictus-ir.com/news/ransomware-in-the-cloud'},
{'description': 'John Hammond. (2023, June 1). MOVEit '
'Transfer Critical Vulnerability '
'CVE-2023-34362 Rapid Response. '
'Retrieved August 5, 2024.',
'source_name': 'Huntress MOVEit 2023',
'url': 'https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response'},
{'description': 'Michael Katchinskiy, Assaf Morag. '
'(2023, April 21). First-Ever Attack '
'Leveraging Kubernetes RBAC to '
'Backdoor Clusters. Retrieved July '
'14, 2023.',
'source_name': 'Aquasec Kubernetes Attack 2023',
'url': 'https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters'}],
'id': 'attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T22:48:14.966Z',
'name': 'Masquerade Account Name',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Menachem Goldstein'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux',
'macOS',
'Windows',
'SaaS',
'IaaS',
'Containers',
'Office Suite',
'Identity Provider'],
'x_mitre_version': '1.0'}