This detection rule targets potential Kerberoasting attempts in an environment utilizing Microsoft Kerberos for authentication. Specifically, it identifies various PowerShell scripts and commands that are commonly used in Kerberoasting techniques, which involve extracting service tickets from the Kerberos database to potentially crack them offline. The rule employs the usage of Splunk commands to filter through endpoint data and identify usage of suspicious scripts such as 'Kerberoast.ps1', 'GetUserSPNS.ps1', and commands like 'Get-NetUser -SPN'. Additionally, it looks for certain System.DirectoryServices and System.IdentityModel components that could indicate malicious activity related to service principal names (SPNs). The rule tracks and analyzes behavior patterns and elements indicative of such compromises, allowing for timely alerts and investigations based on the detected patterns, while associating known threat actors like APT29. It provides a comprehensive statistical view of the data, listing pertinent details like the host and user involved in potential Kerberoasting activities.