This detection rule monitors for the addition of Service Principal Names (SPNs) to domain accounts within a Windows Active Directory (AD) environment, which is a crucial vector for potential security breaches. Leveraging Windows Event Log Security Event Code 5136, the rule tracks changes specifically to the servicePrincipalName attribute of user objects. The ability to add SPNs is often necessary for applications; however, it can also be exploited by attackers as part of 'Kerberoasting'—a technique where these SPNs are harvested to crack the passwords of service accounts offline. If successful, attackers can obtain cleartext passwords, allowing for unauthorized access and lateral movement within the network. The rule outputs relevant user and computer information associated with the change and supports further investigation via drilldown searches.