config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*Add-Exfiltration*", "*Add-Persistence*", "*Add-RegBackdoor*", "*Add-RemoteRegBackdoor*", "*Add-ScrnSaveBackdoor*", "*Check-VM*", "*ConvertTo-Rc4ByteStream*", "*Decrypt-Hash*", "*Disable-ADIDNSNode*", "*Disable-MachineAccount*", "*Do-Exfiltration*", "*Enable-ADIDNSNode*", "*Enable-MachineAccount*", "*Enabled-DuplicateToken*", "*Exploit-Jboss*", "*Export-ADR*", "*Export-ADRCSV*", "*Export-ADRExcel*", "*Export-ADRHTML*", "*Export-ADRJSON*", "*Export-ADRXML*", "*Find-Fruit*", "*Find-GPOLocation*", "*Find-TrustedDocuments*", "*Get-ADIDNS*", "*Get-ApplicationHost*", "*Get-ChromeDump*", "*Get-ClipboardContents*", "*Get-FoxDump*", "*Get-GPPPassword*", "*Get-IndexedItem*", "*Get-KerberosAESKey*", "*Get-Keystrokes*", "*Get-LSASecret*", "*Get-MachineAccountAttribute*", "*Get-MachineAccountCreator*", "*Get-PassHashes*", "*Get-RegAlwaysInstallElevated*", "*Get-RegAutoLogon*", "*Get-RemoteBootKey*", "*Get-RemoteCachedCredential*", "*Get-RemoteLocalAccountHash*", "*Get-RemoteLSAKey*", "*Get-RemoteMachineAccountHash*", "*Get-RemoteNLKMKey*", "*Get-RickAstley*", "*Get-Screenshot*", "*Get-SecurityPackages*", "*Get-ServiceFilePermission*", "*Get-ServicePermission*", "*Get-ServiceUnquoted*", "*Get-SiteListPassword*", "*Get-System*", "*Get-TimedScreenshot*", "*Get-UnattendedInstallFile*", "*Get-Unconstrained*", "*Get-USBKeystrokes*", "*Get-VaultCredential*", "*Get-VulnAutoRun*", "*Get-VulnSchTask*", "*Grant-ADIDNSPermission*", "*Gupt-Backdoor*", "*HTTP-Login*", "*Install-ServiceBinary*", "*Install-SSP*", "*Invoke-ACLScanner*", "*Invoke-ADRecon*", "*Invoke-ADSBackdoor*", "*Invoke-AgentSmith*", "*Invoke-AllChecks*", "*Invoke-ARPScan*", "*Invoke-AzureHound*", "*Invoke-BackdoorLNK*", "*Invoke-BadPotato*", "*Invoke-BetterSafetyKatz*", "*Invoke-BypassUAC*", "*Invoke-Carbuncle*", "*Invoke-Certify*", "*Invoke-ConPtyShell*", "*Invoke-CredentialInjection*", "*Invoke-DAFT*", "*Invoke-DCSync*", "*Invoke-DinvokeKatz*", "*Invoke-DllInjection*", "*Invoke-DNSUpdate*", "*Invoke-DNSExfiltrator*", "*Invoke-DomainPasswordSpray*", "*Invoke-DowngradeAccount*", "*Invoke-EgressCheck*", "*Invoke-Eyewitness*", "*Invoke-FakeLogonScreen*", "*Invoke-Farmer*", "*Invoke-Get-RBCD-Threaded*", "*Invoke-Gopher*", "*Invoke-Grouper*", "*Invoke-HandleKatz*", "*Invoke-ImpersonatedProcess*", "*Invoke-ImpersonateSystem*", "*Invoke-InteractiveSystemPowerShell*", "*Invoke-Internalmonologue*", "*Invoke-Inveigh*", "*Invoke-InveighRelay*", "*Invoke-KrbRelay*", "*Invoke-LdapSignCheck*", "*Invoke-Lockless*", "*Invoke-MalSCCM*", "*Invoke-Mimikatz*", "*Invoke-Mimikittenz*", "*Invoke-MITM6*", "*Invoke-NanoDump*", "*Invoke-NetRipper*", "*Invoke-Nightmare*", "*Invoke-NinjaCopy*", "*Invoke-OfficeScrape*", "*Invoke-OxidResolver*", "*Invoke-P0wnedshell*", "*Invoke-Paranoia*", "*Invoke-PortScan*", "*Invoke-PoshRatHttp*", "*Invoke-PostExfil*", "*Invoke-PowerDump*", "*Invoke-PowerDPAPI*", "*Invoke-PowerShellTCP*", "*Invoke-PowerShellWMI*", "*Invoke-PPLDump*", "*Invoke-PsExec*", "*Invoke-PSInject*", "*Invoke-PsUaCme*", "*Invoke-ReflectivePEInjection*", "*Invoke-ReverseDNSLookup*", "*Invoke-Rubeus*", "*Invoke-RunAs*", "*Invoke-SafetyKatz*", "*Invoke-SauronEye*", "*Invoke-SCShell*", "*Invoke-Seatbelt*", "*Invoke-ServiceAbuse*", "*Invoke-ShadowSpray*", "*Invoke-Sharp*", "*Invoke-Shellcode*", "*Invoke-SMBScanner*", "*Invoke-Snaffler*", "*Invoke-Spoolsample*", "*Invoke-SpraySinglePassword*", "*Invoke-SSHCommand*", "*Invoke-StandIn*", "*Invoke-StickyNotesExtract*", "*Invoke-SystemCommand*", "*Invoke-Tasksbackdoor*", "*Invoke-Tater*", "*Invoke-Thunderfox*", "*Invoke-ThunderStruck*", "*Invoke-TokenManipulation*", "*Invoke-Tokenvator*", "*Invoke-TotalExec*", "*Invoke-UrbanBishop*", "*Invoke-UserHunter*", "*Invoke-VoiceTroll*", "*Invoke-Whisker*", "*Invoke-WinEnum*", "*Invoke-winPEAS*", "*Invoke-WireTap*", "*Invoke-WmiCommand*", "*Invoke-WMIExec*", "*Invoke-WScriptBypassUAC*", "*Invoke-Zerologon*", "*MailRaider*", "*New-ADIDNSNode*", "*New-DNSRecordArray*", "*New-HoneyHash*", "*New-InMemoryModule*", "*New-MachineAccount*", "*New-SOASerialNumberArray*", "*Out-Minidump*", "*Port-Scan*", "*PowerBreach*", "*powercat *", "*PowerUp*", "*PowerView*", "*Remove-ADIDNSNode*", "*Remove-MachineAccount*", "*Remove-Update*", "*Rename-ADIDNSNode*", "*Revoke-ADIDNSPermission*", "*Set-ADIDNSNode*", "*Set-MacAttribute*", "*Set-MachineAccountAttribute*", "*Set-Wallpaper*", "*Show-TargetScreen*", "*Start-CaptureServer*", "*Start-Dnscat2*", "*Start-WebcamRecorder*", "*Veeam-Get-Creds*", "*VolumeShadowCopyTools*")))