((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\wmic.exe OR Image:\\vssadmin.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:wmic.exe OR OriginalFileName:VSSADMIN.EXE)) (CommandLine:shadow* CommandLine:create*)