((CommandLine:tasklist\ \/fi\ * CommandLine:Imagename\ eq\ lsass.exe*) (CommandLine:cmd.exe\ \/c\ * OR CommandLine:cmd.exe\ \/r\ * OR CommandLine:cmd.exe\ \/k\ * OR CommandLine:cmd\ \/c\ * OR CommandLine:cmd\ \/r\ * OR CommandLine:cmd\ \/k\ *) (User:AUTHORI* OR User:AUTORI*)) OR (CommandLine:do\ rundll32.exe\ C\:\\windows\\System32\\comsvcs.dll,\ MiniDump* CommandLine:\\Windows\\Temp\\* CommandLine:\ full* CommandLine:%%B*) OR (CommandLine:tasklist\ \/v\ \/fo\ csv* CommandLine:findstr\ \/i\ \"lsass\"*)