((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:reg.exe)) (CommandLine:add\ * OR CommandLine:New\-ItemProperty\ * OR CommandLine:Set\-ItemProperty\ * OR CommandLine:si\ * OR CommandLine:delete\ * OR CommandLine:del\ * OR CommandLine:Remove\-ItemProperty\ * OR CommandLine:rp\ *) (CommandLine:\\Control\\DeviceGuard* OR CommandLine:\\Control\\LSA* OR CommandLine:Software\\Policies\\Microsoft\\Windows\\DeviceGuard*) (CommandLine:EnableVirtualizationBasedSecurity* OR CommandLine:RequirePlatformSecurityFeatures* OR CommandLine:LsaCfgFlags*)