CommandLine:checkadmin.exe\ 127.0.0.1\ \-all* OR CommandLine:netsh\ advfirewall\ firewall\ add\ rule\ name=powershell\ dir=in* OR CommandLine:cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR CommandLine:\/tn\ win32times\ \/f* OR CommandLine:create\ win32times\ binPath=* OR CommandLine:\\c$\\windows\\system32\\devmgr.dll* OR CommandLine:\ \-exec\ bypass\ \-enc\ JgAg* OR CommandLine:type\ *keepass\\KeePass.config.xml* OR CommandLine:iie.exe\ iie.txt* OR CommandLine:reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*