What are your first three steps when investigating suspicious PowerShell activity on a domain controller at T-Mobile?