The detection rule "PowerShell Kerberos Ticket Request" is designed to identify suspicious PowerShell scripts that may be used for Kerberoasting attacks. Kerberoasting is an attack technique that exploits vulnerabilities in the Kerberos authentication protocol. Attackers often request Kerberos tickets associated with service principal names (SPNs) using PowerShell, aiming to extract and crack these tickets to gain unauthorized access to service accounts. The rule relies on monitoring PowerShell script block logging to capture relevant events. Key investigative steps include analyzing the script content, verifying the execution context and account targeting, and checking associated service accounts for vulnerabilities. False positives can occur if the detected scripts do not request tickets for user accounts. If the detection flag raises a genuine concern, incident response protocols involve isolating affected hosts, resetting passwords for implicated user accounts, and fortifying logging practices to improve future detection capabilities. This detection is particularly relevant in environments where PowerShell is used extensively, given that it facilitates both legitimate administrative tasks and potential malicious activities. The rule’s effective implementation requires enabling PowerShell script block logging, which can be configured via group policy or registry settings.