((Image:\\reg.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:reg.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:add\ * OR CommandLine:Set\-ItemProperty* OR CommandLine:New\-ItemProperty* OR CommandLine:si\ *) CommandLine:\\Control\\WMI\\Autologger\\* (CommandLine:Start* OR CommandLine:Enabled*)