((Image:\\reg.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:reg.exe OR OriginalFileName:powershell.exe OR OriginalFileName:pwsh.dll)) ((CommandLine:ControlSet* CommandLine:\\Control\\Lsa*) (CommandLine:Set\-ItemProperty* OR CommandLine:New\-ItemProperty* OR CommandLine:\ add\ *)) (CommandLine:IsPplAutoEnabled* OR CommandLine:RunAsPPL* OR CommandLine:RunAsPPLBoot*)