SOLVED

FailedLogonDescriptionSourceAccountUnknownUser for compromised accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-285848%22%20slang%3D%22en-US%22%3EFailedLogonDescriptionSourceAccountUnknownUser%20for%20compromised%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285848%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20number%20of%20known%20compromised%20accounts%20are%20showing%20%22FailedLogonDescriptionSourceAccountUnknownUser%22%20login%20activity%20against%20a%20domain%20controller%2C%20see%20attached%20pic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20explain%20what%20this%20means%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22atafailed.png%22%20style%3D%22width%3A%20498px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F59627iF27037C0096CD749%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22atafailed.png%22%20alt%3D%22atafailed.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-285848%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285974%22%20slang%3D%22en-US%22%3ERe%3A%20FailedLogonDescriptionSourceAccountUnknownUser%20for%20compromised%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285974%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Eli%2C%20interesting%20to%20know!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20anything%20from%20me%20with%20regards%20to%20this%20please%20let%20me%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285944%22%20slang%3D%22en-US%22%3ERe%3A%20FailedLogonDescriptionSourceAccountUnknownUser%20for%20compromised%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285944%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%2C%20I%20am%20guessing%20that%20the%20string%20that%20was%20planned%20behind%20this%20key%20is%20probably%20saying%20we%20saw%20a%20failed%20authentication%20from%20an%20unknown%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285940%22%20slang%3D%22en-US%22%3ERe%3A%20FailedLogonDescriptionSourceAccountUnknownUser%20for%20compromised%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285940%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20a%20bug.%20The%20system%20tries%20to%20find%20a%20resource%20string%20in%20the%20currently%20set%20language%20and%20failed%20to%20find%20it.%3C%2FP%3E%0A%3CP%3EI%20opened%20a%20bug%20for%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20reporting%20it!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Guys,

 

I number of known compromised accounts are showing "FailedLogonDescriptionSourceAccountUnknownUser" login activity against a domain controller, see attached pic.

 

Can anyone explain what this means?

atafailed.png

3 Replies
best response confirmed by David McAllister (Occasional Contributor)
Solution

It's a bug. The system tries to find a resource string in the currently set language and failed to find it.

I opened a bug for it. 

Thanks for reporting it!

 

Eli

Also, I am guessing that the string that was planned behind this key is probably saying we saw a failed authentication from an unknown user.

Thanks Eli, interesting to know!

 

If you need anything from me with regards to this please let me know.