((ParentImage:\\powershell_ise.exe OR ParentImage:\\powershell.exe OR ParentImage:\\pwsh.exe) (Image:\\bash.exe OR Image:\\bitsadmin.exe OR Image:\\certutil.exe OR Image:\\cscript.exe OR Image:\\forfiles.exe OR Image:\\hh.exe OR Image:\\mshta.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\schtasks.exe OR Image:\\scrcons.exe OR Image:\\scriptrunner.exe OR Image:\\sh.exe OR Image:\\wmic.exe OR Image:\\wscript.exe)) (-((Image:\\certutil.exe CommandLine:\-verifystore\ *) OR (Image:\\wmic.exe (CommandLine:qfe\ list* OR CommandLine:diskdrive\ * OR CommandLine:csproduct\ * OR CommandLine:computersystem\ * OR CommandLine:\ os\ * OR CommandLine:)))) (-(ParentCommandLine:\\Program\ Files\\Amazon\\WorkspacesConfig\\Scripts\\* CommandLine:\\Program\ Files\\Amazon\\WorkspacesConfig\\Scripts\\*))