This rule detects potential enumeration of service principal names (SPNs) via the Windows command-line tool setspn.exe, a common technique used in Kerberoasting attacks. Kerberoasting is a method that allows attackers to request service tickets for specific SPNs, which can then be cracked offline to retrieve the plaintext account passwords, facilitating privilege escalation within the environment. The detection focuses on identifying process creation events where setspn.exe is invoked with commands that typically signify enumeration requests, such as those containing '-q' or '/q'. The rule uses specific attributes of setspn.exe, like its filename and associated descriptions, ensuring that false positives from legitimate administrative activities are minimized.