drop ad object diff + msds-keycredentiallink · detect shadow-cred attacks
flags KeyCredentialLink on privileged accounts · non-AzureAD device refs · rapid credential link churn
heuristic screener · KeyCredentialLink blob parse is best-effort · no live AD validation · not definitive proof