(EventID:4697 (ServiceFileName:cmd* ServiceFileName:powershell*)) (ServiceFileName:$\{input\}* OR ServiceFileName:noexit*) (ServiceFileName:\ \/c\ * OR ServiceFileName:\ \/r\ *)