((ParentImage:\\w3wp.exe OR ParentImage:\\php\-cgi.exe OR ParentImage:\\nginx.exe OR ParentImage:\\httpd.exe OR ParentImage:\\caddy.exe OR ParentImage:\\ws_tomcatservice.exe) OR ((ParentImage:\\java.exe OR ParentImage:\\javaw.exe) (ParentImage:\-tomcat\-* OR ParentImage:\\tomcat*)) OR ((ParentImage:\\java.exe OR ParentImage:\\javaw.exe) (CommandLine:catalina.jar* OR CommandLine:CATALINA_HOME*))) (((OriginalFileName:net.exe OR OriginalFileName:net1.exe) (CommandLine:\ user\ * OR CommandLine:\ use\ * OR CommandLine:\ group\ *)) OR (OriginalFileName:ping.exe CommandLine:\ \-n\ *) OR (CommandLine:&cd&echo* OR CommandLine:cd\ \/d\ *) OR (OriginalFileName:wmic.exe CommandLine:\ \/node\:*) OR ((Image:\\cmd.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:\ \-enc\ * OR CommandLine:\ \-EncodedCommand\ * OR CommandLine:\ \-w\ hidden\ * OR CommandLine:\ \-windowstyle\ hidden* OR CommandLine:.WebClient\).Download*)) OR ((Image:\\dsquery.exe OR Image:\\find.exe OR Image:\\findstr.exe OR Image:\\ipconfig.exe OR Image:\\netstat.exe OR Image:\\nslookup.exe OR Image:\\pathping.exe OR Image:\\quser.exe OR Image:\\schtasks.exe OR Image:\\systeminfo.exe OR Image:\\tasklist.exe OR Image:\\tracert.exe OR Image:\\ver.exe OR Image:\\wevtutil.exe OR Image:\\whoami.exe) OR (OriginalFileName:dsquery.exe OR OriginalFileName:find.exe OR OriginalFileName:findstr.exe OR OriginalFileName:ipconfig.exe OR OriginalFileName:netstat.exe OR OriginalFileName:nslookup.exe OR OriginalFileName:pathping.exe OR OriginalFileName:quser.exe OR OriginalFileName:schtasks.exe OR OriginalFileName:sysinfo.exe OR OriginalFileName:tasklist.exe OR OriginalFileName:tracert.exe OR OriginalFileName:ver.exe OR OriginalFileName:VSSADMIN.EXE OR OriginalFileName:wevtutil.exe OR OriginalFileName:whoami.exe)) OR (CommandLine:\ Test\-NetConnection\ * OR CommandLine:dir\ \\*))