((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:reg.exe)) (CommandLine:add\ * OR CommandLine:New\-ItemProperty\ * OR CommandLine:Set\-ItemProperty\ * OR CommandLine:si\ *) CommandLine:\\DeviceGuard* (CommandLine:EnableVirtualizationBasedSecurity* OR CommandLine:HypervisorEnforcedCodeIntegrity*)