This analytic rule monitors the usage of the `Set-ADAccountControl` cmdlet in PowerShell to detect when the Kerberos Pre-Authentication flag is disabled on a user account, an event that may signify malicious activity. Disabling this flag can allow attackers to exploit the AS-REP Roasting technique to launch offline brute-force attacks against user passwords. The rule leverages PowerShell Script Block Logging, specifically EventCode 4104, to detect the invocation of the cmdlet with parameters indicating the change to the account's pre-authentication requirements. If such activity is identified, it can provide valuable insights into potential privilege escalation or persistence attempts within an Active Directory environment, which is critical for defending against advanced threats.