((Image:\\powershell.exe OR Image:\\pwsh.exe) (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:Get\-ChildItem\ * OR CommandLine:dir\ * OR CommandLine:gci\ * OR CommandLine:ls\ *) (CommandLine:Get\-Content\ * OR CommandLine:gc\ * OR CommandLine:cat\ * OR CommandLine:type\ * OR CommandLine:ReadAllBytes*) ((CommandLine:\ \^|\ * CommandLine:\*.lnk* CommandLine:\-Recurse* CommandLine:\-Skip\ *) OR (CommandLine:\ \-ExpandProperty\ * CommandLine:\*.lnk* CommandLine:WriteAllBytes* CommandLine:\ .length\ *))