(TargetObject:\\System\\CurrentControlSet\\Services* OR (TargetObject:\\System\\ControlSet* TargetObject:\\Services*)) ((Details:ADMIN$* Details:.exe*) OR (Details:%COMSPEC%* Details:start* Details:powershell*))