(CommandLine:\\\\*\\*$* OR CommandLine:\\Sysvol\\*) (((Image:\\robocopy.exe OR Image:\\xcopy.exe) OR (OriginalFileName:robocopy.exe OR OriginalFileName:XCOPY.EXE)) OR ((Image:\\cmd.exe OR OriginalFileName:Cmd.Exe) CommandLine:copy*) OR (((Image:\\powershell_ise.exe* OR Image:\\powershell.exe* OR Image:\\pwsh.exe*) OR (OriginalFileName:powershell_ise.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:copy\-item* OR CommandLine:copy\ * OR CommandLine:cpi\ * OR CommandLine:\ cp\ * OR CommandLine:move\ * OR CommandLine:\ move\-item* OR CommandLine:\ mi\ * OR CommandLine:\ mv\ *)))