This analytic rule is designed to detect the usage of the `Get-DomainSPNTicket` PowerShell commandlet, a feature of the PowerView tool, which is often leveraged by attackers to perform Kerberoasting. This technique focuses on requesting Kerberos service tickets for specific service principal names (SPNs), thus allowing potential extraction of SPN account passwords using various cracking tools like hashcat. The detection operates by monitoring Event Code 4104, which logs PowerShell script executions. The significance of this detection is underscored by the risk that successful Kerberoasting could enable unauthorized access to accounts, facilitate privilege escalation, and result in broader network compromises. Investigating these alerts is crucial in maintaining the integrity of the environment against credential theft activities.