ParentImage:\\GoAnywhere\\tomcat\\* (((Image:\\powershell.exe OR Image:\\powershell_ise.exe OR Image:\\pwsh.exe) ((CommandLine:IEX* CommandLine:enc* CommandLine:Hidden* CommandLine:bypass*) OR (CommandLine:net\\s+user OR CommandLine:net\\s+group OR CommandLine:query\\s+session) OR (CommandLine:whoami* OR CommandLine:systeminfo* OR CommandLine:dsquery* OR CommandLine:localgroup\ administrators* OR CommandLine:nltest* OR CommandLine:samaccountname=* OR CommandLine:adscredentials* OR CommandLine:o365accountconfiguration* OR CommandLine:.DownloadString\(* OR CommandLine:.DownloadFile\(* OR CommandLine:FromBase64String\(* OR CommandLine:System.IO.Compression* OR CommandLine:System.IO.MemoryStream* OR CommandLine:curl*))) OR ((Image:\\cmd.exe (CommandLine:powershell* OR CommandLine:whoami* OR CommandLine:net.exe* OR CommandLine:net1.exe* OR CommandLine:rundll32* OR CommandLine:quser* OR CommandLine:nltest* OR CommandLine:curl*)) OR (CommandLine:bitsadmin* OR CommandLine:certutil* OR CommandLine:mshta* OR CommandLine:cscript* OR CommandLine:wscript*)))