Query Details

Hunt for accounts with leaked credentials

Hunt Accounts With Leaked Credentials

Query

IdentityInfo
| summarize arg_max(TimeGenerated, AccountUpn, AccountDisplayName, AccountDomain, CriticalityLevel, DistinguishedName) by AccountObjectId
| join kind=inner (
    ExposureGraphNodes
    // Get accounts with Leaked Credentials
    | where NodeProperties.rawData.hasAdLeakedCredentials == "true" or NodeProperties.rawData.hasLeakedCredentials == "true"
    // Get the AAD Object ID
    | mv-expand EntityIds
    | where EntityIds.type == "AadObjectId"
    | extend AccountObjectId = extract('objectid=(.*)', 1, tostring(EntityIds.id))
    | extend HasAdLeakedCredentials = tostring(NodeProperties.rawData.hasAdLeakedCredentials),
        HasLeakedCredentials = tostring(NodeProperties.rawData.hasLeakedCredentials)
    | distinct NodeLabel, AccountObjectId, HasAdLeakedCredentials, HasLeakedCredentials
) on AccountObjectId

About this query

Hunt for accounts with leaked credentials

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
TA0006Credential Accesshttps://attack.mitre.org/tactics/TA0006/

Description

This query searches for accounts where Exposure Management detected leaked credentials. This query is correlated with the IdentityInfo table, mainly because you can easily create a detection of this rule if you would like to.

Risk

This hunting query helps you in finding accounts that have leaked credentials. This mitigates the risk of easy account compromise when an attacker is using known password lists.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to identify user accounts that have been detected with leaked credentials, which is a significant security risk. Here's a simple breakdown of what the query does:

  1. Data Source: The query uses two main data sources: IdentityInfo and ExposureGraphNodes.

  2. Summarizing Account Information:

    • It first summarizes the most recent information about each account from the IdentityInfo table. This includes details like the account's unique identifier, display name, domain, and criticality level.
  3. Identifying Leaked Credentials:

    • The query then looks into the ExposureGraphNodes table to find accounts flagged with leaked credentials. It checks for two specific properties: hasAdLeakedCredentials and hasLeakedCredentials, both of which indicate whether an account's credentials have been leaked.
  4. Joining Data:

    • The query joins the summarized account information with the leaked credentials data using the account's unique identifier (AccountObjectId). This helps in correlating the account details with the exposure status.
  5. Output:

    • The result is a list of accounts that have been identified with leaked credentials, along with their relevant details. This information can be used to take preventive actions to secure these accounts and mitigate the risk of unauthorized access.

Overall, this query helps security teams proactively identify and address potential vulnerabilities due to leaked credentials, thereby enhancing the organization's security posture.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 29, 2026

Tables

IdentityInfoExposureGraphNodes

Keywords

IdentityInfoAccountUpnAccountDisplayNameAccountDomainCriticalityLevelDistinguishedNameAccountObjectIdExposureGraphNodesNodePropertiesEntityIdsAadObjectIdNodeLabel

Operators

summarizearg_maxjoinkind=innerwheremv-expandextendextracttostringdistinct

Actions

GitHub