This rule detects the use of PowerShell's environment variables to identify the currently logged-in user, specifically monitoring the execution of `powershell.exe` with command-line arguments that reference the environment variable `$env:UserName` or the .NET call `[System.Environment]::UserName`. This behavior may indicate an attempt by attackers to gain situational awareness or conduct Active Directory discovery on compromised endpoints. The detection utilizes data from EDR systems, including Sysmon and Windows security logs, to provide insights on process execution patterns related to potentially malicious activities. The identification of user accounts is a critical precursor to further exploitation and lateral movement within the network. Monitoring for such activities is essential for threat hunting and incident response teams to mitigate escalating attacks that leverage user information.