config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*:\ProgramData\adobe\Adobe.exe", "*:\ProgramData\oracle\local.exe", "*\revshell.exe", "*\infopagesbackup\ncat.exe", "*:\ProgramData\comms\comms.exe")) or 
 (action_process_image_command_line contains "-ExecutionPolicy Bypass -File" and 
 action_process_image_command_line contains "\msf.ps1") or 
 (action_process_image_command_line contains "infopagesbackup" and 
 action_process_image_command_line contains "\ncat" and 
 action_process_image_command_line contains "-e cmd.exe") or 
 (action_process_image_command_line in ("*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*", "*-nop -w hidden -c $k=new-object*", "*[Net.CredentialCache]::DefaultCredentials;IEX *", "* -nop -w hidden -c $m=new-object net.webclient;$m*", "*-noninteractive -executionpolicy bypass whoami*", "*-noninteractive -executionpolicy bypass netstat -a*")) or 
 action_process_image_command_line contains "L3NlcnZlcj1"))