Hunt for critical credentials on devices with non-critical accounts

Group by: SourceNodeName
Author: Robbe Van den Daele
Source: github.com/HybridBrothers/Hunting-Queries-Detection-Rules

In most organizations normal user accounts or accounts with low risk permissions have less security controls enabled. This because there are less security controls needed in order to minize the risk vectors that come with these accounts. If these accounts are used on devices where critical account credentials are also present, the critical user account can be compromised more easily when the device is accessed by an adversary via the non-critical user account. Because of this, a Privileged Access Workstation should be used which serves as a dedicated workstation for the critical accounts. By doing this, the critical user account cannot be compromised via a unhardened device.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts
Privilege Escalation	`T1078` Valid Accounts
Stealth	`T1078` Valid Accounts

Rule body yaml

// Search for all users and save their criticality level
let xspm_users = materialize(
    ExposureGraphNodes
    | where NodeLabel == "user"
    | extend CriticalityLevel = todynamic(NodeProperties).rawData.criticalityLevel.criticalityLevel
    | extend RuleNames = todynamic(NodeProperties).rawData.criticalityLevel.ruleNames
    | distinct NodeName, NodeId, tostring(CriticalityLevel), tostring(RuleNames)
);
// Make a list of all critical users
let critical_users = toscalar(
    xspm_users
    | where CriticalityLevel == 0
    | summarize make_set(NodeName)
);
// Make a list of all non critical users
let non_critical_users = toscalar(
    xspm_users
    | where CriticalityLevel != 0
    | summarize make_set(NodeName)
);
// Make graph for max of 3 edges, where we start from a device and end with an user
ExposureGraphEdges
| make-graph SourceNodeId --> TargetNodeId with ExposureGraphNodes on NodeId
| graph-match (SourceNode)-[anyEdge*1..3]->(TargetNode)
    where SourceNode.NodeLabel in ("device", "microsoft.compute/virtualmachines") and TargetNode.NodeLabel == "user"
    project SourceNodeName = SourceNode.NodeName,
    Edges = anyEdge.EdgeLabel,
    TargetNodeName = TargetNode.NodeName,
    TargetNodeLabel = TargetNode.NodeLabel
// Make a list of all users a device has credentials for
| summarize UserList = make_set(TargetNodeName) by SourceNodeName
// Only return devices with more than one credential
| where array_length(UserList) > 1
// Make new lists saving the critical users and non critical users per device
| extend CriticalUserList = set_intersect(UserList, critical_users),
    NonCriticalUserList = set_intersect(UserList, non_critical_users)
// Flag when a device has both critical and non critical users
| where array_length(CriticalUserList) > 0 and array_length(NonCriticalUserList) > 0

Stages and Predicates

Let binding: `xspm_users`

let xspm_users = materialize(
    ExposureGraphNodes
    | where NodeLabel == "user"
    | extend CriticalityLevel = todynamic(NodeProperties).rawData.criticalityLevel.criticalityLevel
    | extend RuleNames = todynamic(NodeProperties).rawData.criticalityLevel.ruleNames
    | distinct NodeName, NodeId, tostring(CriticalityLevel), tostring(RuleNames)
);

Let binding: `critical_users`

let critical_users = toscalar(
    xspm_users
    | where CriticalityLevel == 0
    | summarize make_set(NodeName)
);

Derived from xspm_users.

Let binding: `non_critical_users`

let non_critical_users = toscalar(
    xspm_users
    | where CriticalityLevel != 0
    | summarize make_set(NodeName)
);

Derived from xspm_users.

Stage 1: `source`

ExposureGraphEdges

Stage 2: `macro`

| make-graph SourceNodeId --> TargetNodeId with ExposureGraphNodes on NodeId

Stage 3: `macro`

| graph-match (SourceNode)-[anyEdge*1..3]->(TargetNode)
    where SourceNode.NodeLabel in ("device", "microsoft.compute/virtualmachines") and TargetNode.NodeLabel == "user"
    project SourceNodeName = SourceNode.NodeName,
    Edges = anyEdge.EdgeLabel,
    TargetNodeName = TargetNode.NodeName,
    TargetNodeLabel = TargetNode.NodeLabel

Stage 4: `summarize`

| summarize UserList = make_set(TargetNodeName) by SourceNodeName

Threshold: gt 1

Stage 5: `where`

| where array_length(UserList) > 1

Stage 6: `extend`

| extend CriticalUserList = set_intersect(UserList, critical_users),
    NonCriticalUserList = set_intersect(UserList, non_critical_users)

References critical_users, non_critical_users (defined above).

Stage 7: `where`

| where array_length(CriticalUserList) > 0 and array_length(NonCriticalUserList) > 0

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CriticalUserList`	gt	`0` transforms: `array_length`
`NonCriticalUserList`	gt	`0` transforms: `array_length`
`UserList`	gt	`1` transforms: `array_length`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`SourceNodeName`	`summarize`
`UserList`	`summarize`
`CriticalUserList`	`extend`
`NonCriticalUserList`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Hunt for critical credentials on devices with non-critical accounts

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Let binding: `xspm_users`

Let binding: `critical_users`

Let binding: `non_critical_users`

Stage 1: `source`

Stage 2: `macro`

Stage 3: `macro`

Stage 4: `summarize`

Stage 5: `where`

Stage 6: `extend`

Stage 7: `where`

Indicators

Output fields

Keyboard shortcuts

Search operators

Hunt for critical credentials on devices with non-critical accounts

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Let binding: xspm_users

Let binding: critical_users

Let binding: non_critical_users

Stage 1: source

Stage 2: macro

Stage 3: macro

Stage 4: summarize

Stage 5: where

Stage 6: extend

Stage 7: where

Indicators

Output fields

Let binding: `xspm_users`

Let binding: `critical_users`

Let binding: `non_critical_users`

Stage 1: `source`

Stage 2: `macro`

Stage 3: `macro`

Stage 4: `summarize`

Stage 5: `where`

Stage 6: `extend`

Stage 7: `where`