(CommandLine:\\Software\\Microsoft\\Windows\ Script\\Settings* CommandLine:AmsiEnable*) ((((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:Set\-ItemProperty* OR CommandLine:New\-ItemProperty* OR CommandLine:sp\ *)) OR ((Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:add*))