SECURITY: Worst usernames to use as administrator on an internet facing system
Within this article I will provide a list of usernames that have been used by unauthorized persons. Those accounts have been logged by Windows security log (EventID: 4625). I'll try to update this list in the future...
At the end you can use the power shell command used to create this list - Note this "script" is ugly and horrible slow but for the moment its enough for me...
To enable logging for those events please see the >> KB article #115
Unauthorised connections from 08/17/2016 to 08/31/2016 (only accounts with more then ten tries are listed)
| Tries | Username |
| 6436 | ADMINISTRATOR |
| 1458 | ADMIN |
| 146 | USER |
| 146 | test |
| 112 | BNVERIT |
| 93 | scanner |
| 87 | backup |
| 81 | scan |
| 63 | support |
| 56 | david |
| 50 | info |
| 49 | reception |
| 47 | Benutzer |
| 46 | PRAXIS |
| 44 | ntsec_admin |
| 40 | office |
| 39 | temp |
| 38 | User1 |
| 38 | TERMINAL |
| 36 | Administrador |
| 34 | xerox |
| 33 | testuser |
| 33 | demo |
| 31 | VERWALTER |
| 31 | SYS |
| 30 | SQL |
| 30 | manager |
| 30 | jan |
| 29 | GUEST |
| 28 | Usuario |
| 28 | tim |
| 28 | ALEXANDER |
| 27 | remote |
| 27 | 1 |
| 26 | TOM |
| 26 | POS |
| 26 | EXTRUSION |
| 26 | eric |
| 25 | test1 |
| 25 | printer |
| 25 | LUIS |
| 24 | LEON |
| 24 | JONAS |
| 24 | JAKOB |
| 24 | JACOB |
| 24 | FINN |
| 24 | ERIK |
| 23 | PHILIPP |
| 23 | PAUL |
| 23 | NOAH |
| 23 | NIKLAS |
| 23 | NICLAS |
| 23 | MORITZ |
| 23 | MAXIMILIAN |
| 23 | MAX |
| 23 | LUKAS |
| 23 | LUKA |
| 23 | LUCAS |
| 23 | LUCA |
| 23 | LOUIS |
| 23 | JULIAN |
| 23 | HENRY |
| 23 | HENRI |
| 23 | FYNN |
| 23 | FELIX |
| 23 | ELIAS |
| 23 | BEN |
| 22 | Server |
| 22 | canon |
| 21 | scans |
| 20 | student |
| 20 | LAGER |
| 20 | administrateur |
| 19 | training |
| 19 | ftpuser |
| 19 | fax |
| 19 | aloha |
| 18 | VERWALTUNGSBEAMTE |
| 18 | ups |
| 18 | postgres |
| 18 | OPERATOR |
| 17 | besadmin |
| 16 | sqladmin |
| 16 | install |
| 15 | ZUZU |
| 15 | User2 |
| 15 | TRAINERU17 |
| 15 | tech |
| 15 | sales |
| 15 | ROSI |
| 15 | ROOT |
| 15 | NKVD |
| 15 | MICHI |
| 15 | marketing |
| 15 | internet |
| 15 | Gast |
| 15 | frontdesk |
| 15 | copier |
| 15 | BET3 |
| 15 | BET2 |
| 15 | BET1 |
| 14 | stefan |
| 14 | ricoh |
| 14 | Public |
| 14 | PLESK ADMINISTRATOR |
| 13 | shop |
| 13 | conference |
| 12 | video |
| 12 | VERWALTE |
| 12 | PSAADM |
| 12 | Pc |
| 12 | db2Admin |
| 12 | BUCHHALTUNG |
| 12 | accountant |
| 11 | warehouse |
| 11 | veritas |
| 11 | VDRS |
| 11 | SYSADMIN |
| 11 | service |
| 11 | |
| 11 | logmeinremoteuser |
| 11 | ADMINSTRATOR |
| 11 | ADM |
Script code:
##------------------------------------------------------------------------------------------------
##
## Audit-FailedLogonEvents.ps1
##
## Version 1.0.0
##
##
## Copyright (c) 2016 Martin Mueller - www.sh-soft.com
##
## Permission is hereby granted, free of charge, to any person obtaining a copy of this software
## and associated documentation files (the "Software"), to deal in the Software without
## restriction, including without limitation the rights to use, copy, modify, merge, publish,
## distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
## Software is furnished to do so, subject to the following conditions:
##
## The above copyright notice and this permission notice shall be included in all copies or
## substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
## BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
## NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
## DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
## FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
## (The MIT License (MIT))
##
##------------------------------------------------------------------------------------------------
<#
#>
#This will create a csv file for the relevant eventlog entries senn on this page
# They will start at August 17th till the end of august 2016
# The csv file will be created to C:\Report\BadAdmins_082016.csv and can be opened in MSExcel directly!
Get-EventLog -LogName Security -InstanceId 4625 -After 08/17/2016 -Before 08/31/2016 | Select-Object -ExpandProperty Message | ForEach-Object {$_.Split("`r`n") | ForEach-Object {if ($_ -like "*Account Name:*"){$UserName=$_.split(":")[1].trim();if($Username -ne "-"){return $UserName}}}} | Group-Object | Select-Object Count, Name | Sort-Object Count, Name -Descending | Export-Csv -Path "C:\Report\BadAdmins_082016.csv" -Delimiter ";" -Encoding utf8 -NoTypeInformation -NoClobber
# Yes i know this is horrible ugly but it works for me for that purpose... so please do not blame me :-)