This detection rule identifies changes to Kerberos pre-authentication settings for user accounts in a Windows environment, indicating potential malicious activity. Users with GenericWrite or GenericAll permissions may inadvertently or maliciously disable pre-authentication, which could facilitate offline password cracking attacks such as AS-REP roasting. In Kerberos, pre-authentication defenses against such attacks are crucial because disabling them allows attackers to request authentication data and potentially brute-force user ticket-granting tickets (TGTs) offline. The rule utilizes EQL to detect event code 4738, which indicates that a user account's settings have been modified. Investigative steps include checking the account's permissions, confirming with the account owner about the change, and reviewing account behaviors for anomalies. The rule mandates auditing user account management for success and failure, and it provides guidelines to respond to detected incidents appropriately.