(Image:\\cmd.exe OR Image:\\powershell.exe) (CommandLine:\[System\/EventID=* CommandLine:\/create* CommandLine:\/delete* CommandLine:\/ec* CommandLine:\/so* CommandLine:\/tn\ run*)