(CommandLine:powershell.exe* OR CommandLine:\\powershell* OR CommandLine:\\pwsh* OR CommandLine:pwsh.exe*) ((CommandLine:\/c\ * CommandLine:\\AppData\\*) (CommandLine:Local\\* OR CommandLine:Roaming\\*))