((CommandLine:reg\ * CommandLine:add*) OR (CommandLine:powershell* OR CommandLine:set\-itemproperty* OR CommandLine:\ sp\ * OR CommandLine:new\-itemproperty*)) ((IntegrityLevel:Medium OR IntegrityLevel:S\-1\-16\-8192) (CommandLine:ControlSet* CommandLine:Services*) (CommandLine:ImagePath* OR CommandLine:FailureCommand* OR CommandLine:ServiceDLL*))