servicePrincipalNameattribute set would be vulnerable to Kerberoasting attack. Any domain user can have a TGS for that SPN, allowing for the offline cracking of the service account plaintext password! This is obviously dependent on a crackable service account plaintext, but luckily for us service accounts tend to often have simple passwords that change very infrequently.
Get-DomainUserfunction from PowerView can be used to enumerate domain user accounts for which SPN value is set.
Invoke-Kerberoastfunction from PowerView can be used to dump the ST ( Service Ticker which is from TGS-REP encrypted using service account's password ).