This detection rule is designed to identify unauthorized modifications to the `msPKIAccountCredentials` attribute in Active Directory User Objects. Attackers may exploit the credential roaming feature to overwrite this attribute, potentially allowing for privilege escalation. The `msPKIAccountCredentials` attribute contains crucial information such as encrypted credential objects, private keys, and certificates, making it a prime target for malicious actors. The rule utilizes event logs from Windows that specifically track changes associated with this attribute, focusing on the relevant event code (5136) and excluding modifications made by the system account to filter out noise typically generated by routine administrative activities. Effective conditions for this detection include monitoring for specific LDAP display names and operation types related to changes in the credentials. To ensure the rule is operational, the 'Audit Directory Service Changes' logging policy must be accurately configured for audit success and failure. The specific threat addressed by this rule falls under the MITRE ATT&CK framework's tactics for privilege escalation (TA0004) through exploitation (T1068). Investigation recommendations highlight analyzing logs and user history while managing potential false positives arising from legitimate administrative activity.