config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((((action_process_integrity_level in ("System", "S-1-16-16384")) and 
 (action_process_username in ("*AUTHORI*", "*AUTORI*"))) and 
 ((action_process_image_path in ("*\calc.exe", "*\cscript.exe", "*\forfiles.exe", "*\hh.exe", "*\mshta.exe", "*\ping.exe", "*\wscript.exe")) or 
 action_process_image_command_line ~= "net\s+user\s+" or 
 (action_process_image_command_line in ("* -NoP *", "* -W Hidden *", "* -decode *", "* /decode *", "* /urlcache *", "* -urlcache *", "* -e* JAB*", "* -e* SUVYI*", "* -e* SQBFAFgA*", "* -e* aWV4I*", "* -e* IAB*", "* -e* PAA*", "* -e* aQBlAHgA*", "*vssadmin delete shadows*", "*reg SAVE HKLM*", "* -ma *", "*Microsoft\Windows\CurrentVersion\Run*", "*.downloadstring(*", "*.downloadfile(*", "* /ticket:*", "*dpapi::*", "*event::clear*", "*event::drop*", "*id::modify*", "*kerberos::*", "*lsadump::*", "*misc::*", "*privilege::*", "*rpc::*", "*sekurlsa::*", "*sid::*", "*token::*", "*vault::cred*", "*vault::list*", "* p::d *", "*;iex(*", "*MiniDump*")))) and 
 (not 
 ((action_process_image_command_line contains "ping" and 
 action_process_image_command_line contains "127.0.0.1" and 
 action_process_image_command_line contains " -n ") or 
 (action_process_image_path contains "\PING.EXE" and 
 actor_process_command_line contains "\DismFoDInstall.cmd") or 
 actor_process_image_path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or 
 ((actor_process_image_path in ("*:\Program Files (x86)\Java\*", "*:\Program Files\Java\*")) and 
 actor_process_image_path contains "\bin\javaws.exe" and 
 (action_process_image_path in ("*:\Program Files (x86)\Java\*", "*:\Program Files\Java\*")) and 
 action_process_image_path contains "\bin\jp2launcher.exe" and 
 action_process_image_command_line contains " -ma ")))))