This detection rule monitors changes to the `servicePrincipalName` attribute of user accounts within a Windows Active Directory (AD) environment. It identifies when a user account has this specific attribute modified, which could indicate potential Kerberoasting attacks. Kerberoasting is a technique where attackers exploit the password hashes of service accounts that have a Service Principal Name (SPN) assigned to them. Since user accounts with SPNs may employ weaker passwords than machine accounts, they are more susceptible to such attacks. To effectively monitor for this risk, the rule uses Windows Event ID 5136, which logs directory service changes. The implementation requires configuration of the 'Audit Directory Service Changes' policy to track both successful and failed modifications. Additionally, false positives should be carefully assessed, as using regular user accounts as service accounts is considered a poor security practice. The rule is critical for identifying potential credential exposure and mitigating risks associated with Kerberoasting attacks.