((Image:\\wmic.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:wmic.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:rdtoggle* OR CommandLine:Win32_TerminalServiceSetting*) CommandLine:SetAllowTSConnections*