Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Masquerade Account Name
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Masquerade Account Name
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Masquerading:  Masquerade Account Name

ID Name
.001 Invalid Code Signature
.002 Right-to-Left Override
.003 Rename System Utilities
.004 Masquerade Task or Service
.005 Match Legitimate Name or Location
.006 Space after Filename
.007 Double File Extension
.008 Masquerade File Type
.009 Break Process Trees
.010 Masquerade Account Name

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023) Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to Account Discovery. Note that this is distinct from Impersonation, which describes impersonating specific trusted individuals or organizations, rather than user or service account names.

ID: T1036.010
Sub-technique of:  T1036
Tactic(s): Defense Evasion
Platforms: Containers, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
Data Sources: User Account: User Account Creation
Created: 05 Aug 2024
Last Modified: 17 Oct 2024

Procedure Examples
Name Description
Flame

Flame can create backdoor accounts with login `HelpAssistant` on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)
Magic Hound

Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021)
Dragonfly

Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.(Citation: US-CERT TA18-074A)
ServHelper

ServHelper has created a new user named `supportaccount`.(Citation: Proofpoint TA505 Jan 2019)

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System).(Citation: Dragos Crashoverride 2018)
APT3

APT3 has been known to create or enable accounts, such as support_388945a0.(Citation: aptsim)

Mitigations
Mitigation Description
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

References

  1. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
  2. John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
  3. Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.
  4. Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.
  5. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  6. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  7. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  8. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  9. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  10. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  11. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  12. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.