This detection rule aims to identify modifications to the `msDS-KeyCredentialLink` attribute in Active Directory (AD) User or Computer objects, which can signify an attempted attack involving shadow credentials. Attackers may leverage write privileges on this attribute to create key pairs and manipulate raw public keys, enabling them to gain persistent access to AD objects that could facilitate unauthorized actions on behalf of the compromised user or computer. The rule utilizes logs from various Windows event sources (`winlogbeat-*`, `logs-system.*`, `logs-windows.*`) to identify occurrences of this event through a specific query that filters for the modification of the `msDS-KeyCredentialLink` attribute. The rule is in production and has a risk score of 73, indicating that changes to this attribute should be closely monitored, given their potential implications for credential access and authentication processes. It offers investigation and response strategies, guiding administrators to respond effectively should the rule trigger. Additionally, the rule highlights false positives associated with legitimate modifications made by services like Azure AD Connect or ADFS, suggesting how to manage these exceptions appropriately.