This detection rule targets the execution of `powershell.exe` with specific command-line arguments that invoke the `GetCurrent` method from the WindowsIdentity .NET class. It utilizes data from Endpoint Detection and Response (EDR) solutions, specifically focusing on Sysmon and Windows Event Logs to identify suspicious process name executions. The rationale behind this detection is that adversaries can use the `GetCurrent` method to determine the currently logged-in user on a potentially compromised system. This activity can enable attackers to gather essential context about the user, which may aid in additional attacks or lateral movements. By monitoring for process execution anomalies, security teams can assess the risk of an endpoint breach and respond to possible Active Directory reconnaissance intended for privilege escalation or further exploitation.