The detection rule identifies potential additions of shadow credentials within Active Directory (AD) objects. Shadow credentials refer to unauthorized credential information that may be used to gain elevated access without proper authentication mechanisms. This rule is triggered by monitoring specific audit events, particularly those that involve changes to certain LDAP attributes indicative of shadow credential activity. The primary focus is on Event ID 5136, which captures modifications to the 'msDS-KeyCredentialLink' attribute associated with AD objects. Proper configuration and audit logging of directory service changes are necessary for the rule's functionality. False positives may occur, especially during legitimate updates from Azure AD Connect or ADFS service accounts, which can be excluded from detection by adding them to an exceptions list. Regular monitoring and prompt responses to alerts raised by this rule can help mitigate the risk of unauthorized credential exposure and ensure the integrity of the organization's Active Directory environment.