Query Details
Hunt Accounts With Leaked Credentials
Query
# *Hunt for accounts with leaked credentials*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| TA0006 | Credential Access | https://attack.mitre.org/tactics/TA0006/ |
#### Description
This query searches for accounts where Exposure Management detected leaked credentials. This query is correlated with the `IdentityInfo` table, mainly because you can easily created a detection of this rule if you would like to.
#### Risk
This hunting query helps you in finding accounts that have leaked credentials. This mitigates the risk of easy account compromise when an attacker is using known password lists.
#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/
#### References
## Defender XDR
```KQL
IdentityInfo
| summarize arg_max(TimeGenerated, AccountUpn, AccountDisplayName, AccountDomain, CriticalityLevel, DistinguishedName) by AccountObjectId
| join kind=inner (
ExposureGraphNodes
// Get accounts with Leaked Credentials
| where NodeProperties.rawData.hasAdLeakedCredentials == "true" or NodeProperties.rawData.hasLeakedCredentials == "true"
// Get the AAD Object ID
| mv-expand EntityIds
| where EntityIds.type == "AadObjectId"
| extend AccountObjectId = extract('objectid=(.*)', 1, tostring(EntityIds.id))
| extend HasAdLeakedCredentials = tostring(NodeProperties.rawData.hasAdLeakedCredentials),
HasLeakedCredentials = tostring(NodeProperties.rawData.hasLeakedCredentials)
| distinct NodeLabel, AccountObjectId, HasAdLeakedCredentials, HasLeakedCredentials
) on AccountObjectId
```Explanation
This query is designed to identify user accounts that have been compromised due to leaked credentials. Here's a simplified breakdown of what the query does:
-
Data Source: It uses two main data tables:
IdentityInfoandExposureGraphNodes. -
Identity Information:
- The query first summarizes data from the
IdentityInfotable to get the most recent information about each account, such as the account's unique identifier, display name, domain, and criticality level.
- The query first summarizes data from the
-
Exposure Detection:
- It then looks into the
ExposureGraphNodestable to find accounts that have been flagged with leaked credentials. This is determined by checking specific properties (hasAdLeakedCredentialsorhasLeakedCredentials) that indicate whether credentials have been leaked.
- It then looks into the
-
Correlation:
- The query correlates the data from both tables by matching the account's unique identifier (
AccountObjectId). This helps in identifying which accounts in theIdentityInfotable have been detected with leaked credentials in theExposureGraphNodestable.
- The query correlates the data from both tables by matching the account's unique identifier (
-
Output:
- The result is a list of accounts that have been identified as having leaked credentials, along with relevant details about each account.
In essence, this query helps security teams identify and mitigate risks associated with accounts that might be easily compromised due to leaked credentials, thus enhancing the organization's security posture.
Details
Robbe Van den Daele
Released: January 26, 2026
Tables
IdentityInfoExposureGraphNodes
Keywords
IdentityInfoExposureGraphNodesAccountUpnAccountDisplayNameAccountDomainCriticalityLevelDistinguishedNameAccountObjectIdNodePropertiesRawDataEntityIdsNodeLabel
Operators
summarizearg_maxjoinkind=innerwheremv-expandextendextracttostringdistincton