This detection rule identifies instances where the Windows command-line tool "whoami.exe" is executed with the "-all" flag. The use of "whoami.exe" can allow malicious actors to gather numerous details about the current user and their privileges on the system, potentially revealing sensitive information or facilitating further actions in a cyber attack. By monitoring for the specific command line usage and ensuring the executable name matches the known process, the rule aims to highlight unusual or unauthorized execution patterns that can indicate discovery or reconnaissance activities that are commonly associated with malicious behavior.