On the Futility of Renaming Built-In Active Directory AccountsΒΆ

This isn’t 1995 any more. Built-in accounts have (and have always had) well-known SIDs. There’s little return on ham-fisting built-in accounts (e.g., “Administrator”), so modern exploit kits just check the SIDs. The “Administrator” well-known SID is just the domain SID with “-500” at the end. No computer hacking skills or nunchuck skills or bow-hunting skills required. Spend your time more productively elsewhere.

PS C:\>import-module ActiveDirectory
Get-ADDomain home.local | Select-Object DomainSID |FT DomainSID

DomainSID:
S-1-5-21-2079967355-3169663337-3296943937

Get-ADUser -Filter 'SID -eq "S-1-5-21-2079967355-3169663337-3296943937-500"' | FT Name


Name:
Administrator

Securify through obscurify (rename the “Administrator” account, shout out to the Dead Milkmen), and let’s see what we’ve gained:

PS C:\>import-module ActiveDirectory
Get-ADDomain home.local | Select-Object DomainSID |FT DomainSID

DomainSID:
S-1-5-21-2079967355-3169663337-3296943937

Get-ADUser -Filter 'SID -eq "S-1-5-21-2079967355-3169663337-3296943937-500"' | FT Name


Name:
beelzebubba

De nada.