Differences in Windows Administrator account name in localised languages

In a recent penetration test, we found an unpatched Windows Server 2016 with MS17-010 (aka Wannacry) vulnerability. Unfortunately the Windows instance had to reboot after exploiting. Usually a random server reboot would have triggered an anomaly alert in the SIEM but there was no counter action detected. 🙂

One of our custom tool stopped working and we were quite puzzled on why that was happening as it’s tried and tested. Delving into the Windows Server command line, we found the Windows Administrator account was named in the server’s local language. Ah ha! A quick modification to the tool sent us on the right path.

In the Post Penetration Review, the differences between the Windows Account name in various localised languages came up as a topic for discussion. Typically the SID of the Windows account is used to determine whether is it an administrative account. (Common SIDs in Windows) In this case, we used the account name instead.

It didn’t take long for us to rectify the problem and continue with the penetration test – there was no harm done, and more importantly helped to build awareness of the windows account name differences in localised languages.

For your convenience, the following are the current available localised Windows names

Language Account Name
English Administrator
Finnish Järjestelmänvalvoja
French Administrateur
Hungarian Rendszergazda
Portuguese (Brazil) Administrador
Portuguese (Portugal) Administrador
Russian Администратор
Spanish Administrador
Swedish Administratör

Microsoft also provided sample code to obtain localized and renamed account names associated with accounts -> How to deal with localized and renamed user and group names

There are also localised display names used in Windows but these are likely to map back to the common Administrator account. You can access the localised display names at Microsoft via List of Localized Display Name For the Administrator Account.

Need help assessing your corporate Windows network?

Contact us

Leave a Reply

Your email address will not be published. Required fields are marked *