((Image:\\powershell.exe OR Image:\\powershell_ise.exe OR Image:\\pwsh.exe OR Image:\\cmd.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:powershell_ise.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:Cmd.Exe)) ((User:AUTHORI* OR User:AUTORI*) LogonId:0x3e7)