(((ParentImage:\\winlogon.exe OR ParentImage:\\services.exe OR ParentImage:\\lsass.exe OR ParentImage:\\csrss.exe OR ParentImage:\\smss.exe OR ParentImage:\\wininit.exe OR ParentImage:\\spoolsv.exe OR ParentImage:\\searchindexer.exe) (User:AUTHORI* OR User:AUTORI*)) ((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\cmd.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:Cmd.Exe))) (-(CommandLine:\ route\ * CommandLine:\ ADD\ *))