((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe) OR (OriginalFileName:powershell.exe OR OriginalFileName:pwsh.dll OR OriginalFileName:reg.exe)) (CommandLine:\ add\ * OR CommandLine:Set\-ItemProperty* OR CommandLine:New\-ItemProperty*) (CommandLine:\\SOFTWARE\\Policies\\Microsoft\\Windows\ NT\\SystemRestore* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\SystemRestore*) (CommandLine:DisableConfig* OR CommandLine:DisableSR*)