[Rule Tuning] Potential Shadow Credentials added to AD Object (#2359)

limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others).

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

rules/windows/credential_access_shadow_credentials.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/10/15"
 
 [rule]
 author = ["Elastic"]
@@ -50,6 +50,7 @@ references = [
     "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab",
     "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials",
     "https://github.com/OTRF/Set-AuditRule",
+    "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/",
 ]
 risk_score = 73
 rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de"
@@ -59,7 +60,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink"
+event.action:"Directory Service Changes" and event.code:"5136" and
+ winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828*
 '''