InfoSec Brain Tease:
You are doing a security evaluation. IT use the same local admin password on all machines. However, so attackers cannot pivot through the network, they have a script that changes the local admin username to the BIOS serial number. (They don't use the serial number as a password because users could figure that out by looking at the script.)
You try to make them use LAPS, but they ask you to demonstrate how this is any less effective.
Your challenge: Is this an effective security mitigation? If not, give a network compromise scenario why.
@SwiftOnSecurity
The administrator account is always sid 500, so renaming it doesn't help for any attacks that can use the sid. I don't think 'net user' or equivalent requires admin rights, so it's not hard to discover once you're on the machine.
Admin account doesn't lock out and serial numbers have patterns, so it wouldn't be difficult to brute force the account names if needed.
Also, if you are bruteforcing an account name, _which_ account would that lock?
@robryk
@SwiftOnSecurity
None, if the account doesn't exist.
I guess it'd technically be credential stuffing?