Hunt for accounts with leaked credentials
Hunt Accounts With Leaked Credentials
Query
IdentityInfo
| summarize arg_max(TimeGenerated, AccountUpn, AccountDisplayName, AccountDomain, CriticalityLevel, DistinguishedName) by AccountObjectId
| join kind=inner (
ExposureGraphNodes
// Get accounts with Leaked Credentials
| where NodeProperties.rawData.hasAdLeakedCredentials == "true" or NodeProperties.rawData.hasLeakedCredentials == "true"
// Get the AAD Object ID
| mv-expand EntityIds
| where EntityIds.type == "AadObjectId"
| extend AccountObjectId = extract('objectid=(.*)', 1, tostring(EntityIds.id))
| extend HasAdLeakedCredentials = tostring(NodeProperties.rawData.hasAdLeakedCredentials),
HasLeakedCredentials = tostring(NodeProperties.rawData.hasLeakedCredentials)
| distinct NodeLabel, AccountObjectId, HasAdLeakedCredentials, HasLeakedCredentials
) on AccountObjectIdAbout this query
Hunt for accounts with leaked credentials
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| TA0006 | Credential Access | https://attack.mitre.org/tactics/TA0006/ |
Description
This query searches for accounts where Exposure Management detected leaked credentials. This query is correlated with the IdentityInfo table, mainly because you can easily create a detection of this rule if you would like to.
Risk
This hunting query helps you in finding accounts that have leaked credentials. This mitigates the risk of easy account compromise when an attacker is using known password lists.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Explanation
This query is designed to identify user accounts that have been detected with leaked credentials, which is a significant security risk. Here's a simple breakdown of what the query does:
-
Data Source: The query uses two main data sources:
IdentityInfoandExposureGraphNodes. -
Summarizing Account Information:
- It first summarizes the most recent information about each account from the
IdentityInfotable. This includes details like the account's unique identifier, display name, domain, and criticality level.
- It first summarizes the most recent information about each account from the
-
Identifying Leaked Credentials:
- The query then looks into the
ExposureGraphNodestable to find accounts flagged with leaked credentials. It checks for two specific properties:hasAdLeakedCredentialsandhasLeakedCredentials, both of which indicate whether an account's credentials have been leaked.
- The query then looks into the
-
Joining Data:
- The query joins the summarized account information with the leaked credentials data using the account's unique identifier (
AccountObjectId). This helps in correlating the account details with the exposure status.
- The query joins the summarized account information with the leaked credentials data using the account's unique identifier (
-
Output:
- The result is a list of accounts that have been identified with leaked credentials, along with their relevant details. This information can be used to take preventive actions to secure these accounts and mitigate the risk of unauthorized access.
Overall, this query helps security teams proactively identify and address potential vulnerabilities due to leaked credentials, thereby enhancing the organization's security posture.
Details

Robbe Van den Daele
Released: January 29, 2026
Tables
Keywords
Operators