This detection rule targets malicious activities associated with PowerShell scripts that request a single Kerberos ticket through the use of the System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. This technique relates to credential access tactics used by attackers during a Kerberos or silver ticket attack, where they aim to extract Service Principal Names (SPNs) associated with a computer in an Active Directory environment. By querying the domain, the script can facilitate unauthorized access to services by misusing ticket granting tickets. Given that the execution of such scripts may be indicative of privilege escalation or lateral movement within a network, effective monitoring and detection measures are essential to mitigate potential risks. The detection relies on script block logging in Windows, which must be enabled for the rule to generate alerts when the specified text string is identified in PowerShell script executions. A successful alert indicates that a PowerShell script with suspicious intent has been executed, requiring further investigation to determine the intent and impact of the activity.