EventID:4697 (((ServiceFileName:\/c* ServiceFileName:echo* ServiceFileName:\\pipe\\*) (ServiceFileName:cmd* OR ServiceFileName:%COMSPEC%*)) OR (ServiceFileName:rundll32* ServiceFileName:.dll,a* ServiceFileName:\/p\:*) OR ServiceFileName:\\\\127.0.0.1\\ADMIN$\\*)