index=* ((((EventCode=”4688″ OR EventCode=”1″) AND ((CommandLine=”*reg*” CommandLine=”*add*” CommandLine=”*/d*”) OR (CommandLine=”*Set-ItemProperty*” CommandLine=”*-value*”)) AND (CommandLine=”*00000000*” OR CommandLine=”*0*”) AND CommandLine=”*SafeDllSearchMode*”) OR ((EventCode=”4657″) ObjectValueName=”SafeDllSearchMode” value=”0″)) OR ((EventCode=”13″) EventType=”SetValue” TargetObject=”*SafeDllSearchMode” Details=”DWORD (0x00000000)”)) | fields EventCode,EventType,TargetObject,Details,CommandLine,ObjectValueName,value
