(CommandLine:process\ * CommandLine:call\ * CommandLine:create\ *) (CommandLine:rundll32* OR CommandLine:bitsadmin* OR CommandLine:regsvr32* OR CommandLine:cmd.exe\ \/c\ * OR CommandLine:cmd.exe\ \/k\ * OR CommandLine:cmd.exe\ \/r\ * OR CommandLine:cmd\ \/c\ * OR CommandLine:cmd\ \/k\ * OR CommandLine:cmd\ \/r\ * OR CommandLine:powershell* OR CommandLine:pwsh* OR CommandLine:certutil* OR CommandLine:cscript* OR CommandLine:wscript* OR CommandLine:mshta* OR CommandLine:\\Users\\Public\\* OR CommandLine:\\Windows\\Temp\\* OR CommandLine:\\AppData\\Local\\* OR CommandLine:%temp%* OR CommandLine:%tmp%* OR CommandLine:%ProgramData%* OR CommandLine:%appdata%* OR CommandLine:%comspec%* OR CommandLine:%localappdata%*)