This detection rule aims to identify Kerberos Ticket Granting Service (TGS) requests that utilize RC4 encryption, a potentially insecure method. Such requests can be indicative of kerberoasting attacks, where attackers exploit weaknesses in service principal names (SPNs) to obtain ticket-granting tickets (TGTs) and subsequently perform offline brute-force attacks on them. The rule analyzes network traffic captured by the Zeek (formerly known as Bro) network security monitor, specifically looking for TGS requests that use the 'rc4-hmac' cipher. Additionally, the presence of a computer account prefixed with '$' (indicating a service account) is excluded from the detection criteria to minimize false positives from legitimate activity. The detection level is marked as medium, recognizing the possible threat posed by anomalous Kerberos requests. For effective implementation, the detection relies on both the correctness of the TGS request type and the specific cipher being utilized. This rule is particularly useful for monitoring environments where Kerberos authentication is heavily employed and can serve as a valuable asset in the identification of credential theft attempts.