(OriginalFileName:Cmd.Exe OR Image:\\cmd.exe) ((CommandLine:cmd\ * OR CommandLine:cmd.exe* OR CommandLine:c\:\\windows\\system32\\cmd.exe*) (CommandLine:psinject* OR CommandLine:spawnas* OR CommandLine:make_token* OR CommandLine:remote\-exec* OR CommandLine:rev2self* OR CommandLine:dcsync* OR CommandLine:logonpasswords* OR CommandLine:execute\-assembly* OR CommandLine:getsystem*))