This rule detects malicious use of PowerShell environment variables, specifically `$env:UserName` and `[System.Environment]::UserName`, to uncover the identity of the currently logged user. This detection relies on PowerShell Script Block Logging (EventCode=4104) and aims to identify activities commonly performed by adversaries or Red Teams during Active Directory reconnaissance and endpoint exploration. When executed, these commands facilitate knowledge gathering about user context, which can be leveraged for further exploitation or lateral movement within the network. The rule monitors script blocks containing the specified phrases, counting occurrences and tracking the first and last time the script was detected. It is crucial for network defenders to monitor such activities to mitigate potential threats arising from user discovery tactics utilized by attackers.