This analytic detection rule identifies the usage of `setspn.exe`, a Windows command-line utility that manages Service Principal Names (SPNs), to query domain SPNs. The rule primarily leverages Endpoint Detection and Response (EDR) data such as Sysmon Event ID 1 and Windows Event Log Security 4688 to monitor command-line arguments associated with `setspn.exe`. The activity can indicate potential reconnaissance by attackers who may seek to exploit these SPNs in subsequent Kerberoasting or other Kerberos-related attacks that target credential theft and privilege escalation. By being vigilant about this behavior, defenders can recognize the initial stages of more significant attacks, as confirmed malicious use of `setspn.exe` can give attackers the ability to gather intelligence, escalate privileges, or maintain persistence in the environment. Therefore, timely detection and response are crucial to mitigate the risks involved.