(EventID:4657 (ObjectName:WINEVT\\Publishers\\\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}* OR ObjectName:WINEVT\\Channels\\Microsoft\-Windows\-Sysmon\/Operational*) ObjectValueName:Enabled NewValue:0) OR (EventID:4663 (ObjectName:WINEVT\\Publishers\\\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}* OR ObjectName:WINEVT\\Channels\\Microsoft\-Windows\-Sysmon\/Operational*) AccessMask:0x10000)