((ParentImage:manageengine* OR ParentImage:ServiceDesk*) ParentImage:\\java*) (((Image:\\powershell.exe OR Image:\\powershell_ise.exe) ((CommandLine:\ echo\ * OR CommandLine:\-dumpmode* OR CommandLine:\-ssh* OR CommandLine:.dmp* OR CommandLine:add\-MpPreference* OR CommandLine:adscredentials* OR CommandLine:bitsadmin* OR CommandLine:certutil* OR CommandLine:csvhost.exe* OR CommandLine:DownloadFile* OR CommandLine:DownloadString* OR CommandLine:dsquery* OR CommandLine:ekern.exe* OR CommandLine:FromBase64String* OR CommandLine:iex\ * OR CommandLine:iex\(* OR CommandLine:Invoke\-Expression* OR CommandLine:Invoke\-WebRequest* OR CommandLine:localgroup\ administrators* OR CommandLine:o365accountconfiguration* OR CommandLine:samaccountname=* OR CommandLine:set\-MpPreference* OR CommandLine:svhost.exe* OR CommandLine:System.IO.Compression* OR CommandLine:System.IO.MemoryStream* OR CommandLine:usoprivate* OR CommandLine:usoshared* OR CommandLine:whoami*) OR CommandLine:[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,} OR CommandLine:net\\s+user OR CommandLine:net\\s+group OR CommandLine:query\\ssession)) OR (CommandLine:lsass* (CommandLine:procdump* OR CommandLine:tasklist* OR CommandLine:findstr*)) OR ((Image:\\wget.exe CommandLine:http*) OR (Image:\\curl.exe CommandLine:http*) OR (CommandLine:E\:jscript* OR CommandLine:e\:vbscript*) OR (CommandLine:localgroup\ Administrators* CommandLine:\/add*) OR (CommandLine:net* (CommandLine:user* CommandLine:\/add*)) OR ((CommandLine:reg\ add* CommandLine:DisableAntiSpyware* CommandLine:\\Microsoft\\Windows\ Defender*) OR (CommandLine:reg\ add* CommandLine:DisableRestrictedAdmin* CommandLine:CurrentControlSet\\Control\\Lsa*)) OR (CommandLine:wmic* CommandLine:process\ call\ create*) OR (CommandLine:wmic* CommandLine:delete* CommandLine:shadowcopy*) OR (CommandLine:vssadmin* CommandLine:delete* CommandLine:shadows*) OR (CommandLine:wbadmin* CommandLine:delete* CommandLine:catalog*))) (-(CommandLine:download.microsoft.com* CommandLine:manageengine.com* CommandLine:msiexec*))