This analytic detection rule targets the execution of the `powershell.exe` process with specific command-line arguments that utilize the `Get-WmiObject` cmdlet to query local user accounts through the `Win32_UserAccount` parameter. The detection leverages telemetry from Endpoint Detection and Response (EDR) agents, capturing essential details about process execution events, including the name of the process, command-line arguments, and parent/child process relationships. The significance of this activity arises from its potential association with adversarial reconnaissance efforts, especially for confirming user roles and accounts on a compromised endpoint, which can further lead to privilege escalation or lateral movement attacks within an organization. By monitoring and analyzing this behavior, security teams can proactively identify malicious activity in the network environment.