(CommandLine:DumpCreds* OR CommandLine:mimikatz*) OR (CommandLine:\:\:aadcookie* OR CommandLine:\:\:detours* OR CommandLine:\:\:memssp* OR CommandLine:\:\:mflt* OR CommandLine:\:\:ncroutemon* OR CommandLine:\:\:ngcsign* OR CommandLine:\:\:printnightmare* OR CommandLine:\:\:skeleton* OR CommandLine:\:\:preshutdown* OR CommandLine:\:\:mstsc* OR CommandLine:\:\:multirdp*) OR (CommandLine:rpc\:\:* OR CommandLine:token\:\:* OR CommandLine:crypto\:\:* OR CommandLine:dpapi\:\:* OR CommandLine:sekurlsa\:\:* OR CommandLine:kerberos\:\:* OR CommandLine:lsadump\:\:* OR CommandLine:privilege\:\:* OR CommandLine:process\:\:* OR CommandLine:vault\:\:*)