((Image:\\cmd.exe (CommandLine:\ \/c* CommandLine:dir\ * CommandLine:\\Users\\*)) (-CommandLine:\ rmdir\ *)) OR (((Image:\\net.exe OR Image:\\net1.exe) CommandLine:user*) (-(CommandLine:\/domain* OR CommandLine:\/add* OR CommandLine:\/delete* OR CommandLine:\/active* OR CommandLine:\/expires* OR CommandLine:\/passwordreq* OR CommandLine:\/scriptpath* OR CommandLine:\/times* OR CommandLine:\/workstations*))) OR (((Image:\\whoami.exe OR Image:\\quser.exe OR Image:\\qwinsta.exe) OR (OriginalFileName:whoami.exe OR OriginalFileName:quser.exe OR OriginalFileName:qwinsta.exe)) OR (Image:\\wmic.exe (CommandLine:useraccount* CommandLine:get*)) OR (Image:\\cmdkey.exe CommandLine:\ \/l*))