config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\Add-ConstrainedDelegationBackdoor.ps1", "*\Add-Exfiltration.ps1", "*\Add-Persistence.ps1", "*\Add-RegBackdoor.ps1", "*\Add-RemoteRegBackdoor.ps1", "*\Add-ScrnSaveBackdoor.ps1", "*\ADRecon.ps1", "*\AzureADRecon.ps1", "*\BadSuccessor.ps1", "*\Check-VM.ps1", "*\ConvertTo-ROT13.ps1", "*\Copy-VSS.ps1", "*\Create-MultipleSessions.ps1", "*\DNS_TXT_Pwnage.ps1", "*\dnscat2.ps1", "*\Do-Exfiltration.ps1", "*\DomainPasswordSpray.ps1", "*\Download_Execute.ps1", "*\Download-Execute-PS.ps1", "*\Enable-DuplicateToken.ps1", "*\Enabled-DuplicateToken.ps1", "*\Execute-Command-MSSQL.ps1", "*\Execute-DNSTXT-Code.ps1", "*\Execute-OnTime.ps1", "*\ExetoText.ps1", "*\Exploit-Jboss.ps1", "*\Find-AVSignature.ps1", "*\Find-Fruit.ps1", "*\Find-GPOLocation.ps1", "*\Find-TrustedDocuments.ps1", "*\FireBuster.ps1", "*\FireListener.ps1", "*\Get-ApplicationHost.ps1", "*\Get-ChromeDump.ps1", "*\Get-ClipboardContents.ps1", "*\Get-ComputerDetail.ps1", "*\Get-FoxDump.ps1", "*\Get-GPPAutologon.ps1", "*\Get-GPPPassword.ps1", "*\Get-IndexedItem.ps1", "*\Get-Keystrokes.ps1", "*\Get-LSASecret.ps1", "*\Get-MicrophoneAudio.ps1", "*\Get-PassHashes.ps1", "*\Get-PassHints.ps1", "*\Get-RegAlwaysInstallElevated.ps1", "*\Get-RegAutoLogon.ps1", "*\Get-RickAstley.ps1", "*\Get-Screenshot.ps1", "*\Get-SecurityPackages.ps1", "*\Get-ServiceFilePermission.ps1", "*\Get-ServicePermission.ps1", "*\Get-ServiceUnquoted.ps1", "*\Get-SiteListPassword.ps1", "*\Get-System.ps1", "*\Get-TimedScreenshot.ps1", "*\Get-UnattendedInstallFile.ps1", "*\Get-Unconstrained.ps1", "*\Get-USBKeystrokes.ps1", "*\Get-VaultCredential.ps1", "*\Get-VulnAutoRun.ps1", "*\Get-VulnSchTask.ps1", "*\Get-WebConfig.ps1", "*\Get-WebCredentials.ps1", "*\Get-WLAN-Keys.ps1", "*\Gupt-Backdoor.ps1", "*\HTTP-Backdoor.ps1", "*\HTTP-Login.ps1", "*\Install-ServiceBinary.ps1", "*\Install-SSP.ps1", "*\Invoke-ACLScanner.ps1", "*\Invoke-ADSBackdoor.ps1", "*\Invoke-AmsiBypass.ps1", "*\Invoke-ARPScan.ps1", "*\Invoke-BackdoorLNK.ps1", "*\Invoke-BadPotato.ps1", "*\Invoke-BetterSafetyKatz.ps1", "*\Invoke-BruteForce.ps1", "*\Invoke-BypassUAC.ps1", "*\Invoke-Carbuncle.ps1", "*\Invoke-Certify.ps1", "*\Invoke-ConPtyShell.ps1", "*\Invoke-CredentialInjection.ps1", "*\Invoke-CredentialsPhish.ps1", "*\Invoke-DAFT.ps1", "*\Invoke-DCSync.ps1", "*\Invoke-Decode.ps1", "*\Invoke-DinvokeKatz.ps1", "*\Invoke-DllInjection.ps1", "*\Invoke-DNSExfiltrator.ps1", "*\Invoke-DNSUpdate.ps1", "*\Invoke-DowngradeAccount.ps1", "*\Invoke-EgressCheck.ps1", "*\Invoke-Encode.ps1", "*\Invoke-EventViewer.ps1", "*\Invoke-Eyewitness.ps1", "*\Invoke-FakeLogonScreen.ps1", "*\Invoke-Farmer.ps1", "*\Invoke-Get-RBCD-Threaded.ps1", "*\Invoke-Gopher.ps1", "*\Invoke-Grouper2.ps1", "*\Invoke-Grouper3.ps1", "*\Invoke-HandleKatz.ps1", "*\Invoke-Interceptor.ps1", "*\Invoke-Internalmonologue.ps1", "*\Invoke-Inveigh.ps1", "*\Invoke-InveighRelay.ps1", "*\Invoke-JSRatRegsvr.ps1", "*\Invoke-JSRatRundll.ps1", "*\Invoke-KrbRelay.ps1", "*\Invoke-KrbRelayUp.ps1", "*\Invoke-LdapSignCheck.ps1", "*\Invoke-Lockless.ps1", "*\Invoke-MalSCCM.ps1", "*\Invoke-Mimikatz.ps1", "*\Invoke-MimikatzWDigestDowngrade.ps1", "*\Invoke-Mimikittenz.ps1", "*\Invoke-MITM6.ps1", "*\Invoke-NanoDump.ps1", "*\Invoke-NetRipper.ps1", "*\Invoke-NetworkRelay.ps1", "*\Invoke-NinjaCopy.ps1", "*\Invoke-OxidResolver.ps1", "*\Invoke-P0wnedshell.ps1", "*\Invoke-P0wnedshellx86.ps1", "*\Invoke-Paranoia.ps1", "*\Invoke-PortScan.ps1", "*\Invoke-PoshRatHttp.ps1", "*\Invoke-PoshRatHttps.ps1", "*\Invoke-PostExfil.ps1", "*\Invoke-PowerDump.ps1", "*\Invoke-PowerDPAPI.ps1", "*\Invoke-PowerShellIcmp.ps1", "*\Invoke-PowerShellTCP.ps1", "*\Invoke-PowerShellTcpOneLine.ps1", "*\Invoke-PowerShellTcpOneLineBind.ps1", "*\Invoke-PowerShellUdp.ps1", "*\Invoke-PowerShellUdpOneLine.ps1", "*\Invoke-PowerShellWMI.ps1", "*\Invoke-PowerThIEf.ps1", "*\Invoke-PPLDump.ps1", "*\Invoke-Prasadhak.ps1", "*\Invoke-PsExec.ps1", "*\Invoke-PsGcat.ps1", "*\Invoke-PsGcatAgent.ps1", "*\Invoke-PSInject.ps1", "*\Invoke-PsUaCme.ps1", "*\Invoke-ReflectivePEInjection.ps1", "*\Invoke-ReverseDNSLookup.ps1", "*\Invoke-Rubeus.ps1", "*\Invoke-RunAs.ps1", "*\Invoke-SafetyKatz.ps1", "*\Invoke-SauronEye.ps1", "*\Invoke-SCShell.ps1", "*\Invoke-Seatbelt.ps1", "*\Invoke-ServiceAbuse.ps1", "*\Invoke-SessionGopher.ps1", "*\Invoke-ShellCode.ps1", "*\Invoke-SMBScanner.ps1", "*\Invoke-Snaffler.ps1", "*\Invoke-Spoolsample.ps1", "*\Invoke-SSHCommand.ps1", "*\Invoke-SSIDExfil.ps1", "*\Invoke-StandIn.ps1", "*\Invoke-StickyNotesExtract.ps1", "*\Invoke-Tater.ps1", "*\Invoke-Thunderfox.ps1", "*\Invoke-ThunderStruck.ps1", "*\Invoke-TokenManipulation.ps1", "*\Invoke-Tokenvator.ps1", "*\Invoke-TotalExec.ps1", "*\Invoke-UrbanBishop.ps1", "*\Invoke-UserHunter.ps1", "*\Invoke-VoiceTroll.ps1", "*\Invoke-Whisker.ps1", "*\Invoke-WinEnum.ps1", "*\Invoke-winPEAS.ps1", "*\Invoke-WireTap.ps1", "*\Invoke-WmiCommand.ps1", "*\Invoke-WScriptBypassUAC.ps1", "*\Invoke-Zerologon.ps1", "*\Keylogger.ps1", "*\MailRaider.ps1", "*\New-HoneyHash.ps1", "*\OfficeMemScraper.ps1", "*\Offline_Winpwn.ps1", "*\Out-CHM.ps1", "*\Out-DnsTxt.ps1", "*\Out-Excel.ps1", "*\Out-HTA.ps1", "*\Out-Java.ps1", "*\Out-JS.ps1", "*\Out-Minidump.ps1", "*\Out-RundllCommand.ps1", "*\Out-SCF.ps1", "*\Out-SCT.ps1", "*\Out-Shortcut.ps1", "*\Out-WebQuery.ps1", "*\Out-Word.ps1", "*\Parse_Keys.ps1", "*\Port-Scan.ps1", "*\PowerBreach.ps1", "*\powercat.ps1", "*\Powermad.ps1", "*\PowerRunAsSystem.psm1", "*\PowerSharpPack.ps1", "*\PowerUp.ps1", "*\PowerUpSQL.ps1", "*\PowerView.ps1", "*\PSAsyncShell.ps1", "*\RemoteHashRetrieval.ps1", "*\Remove-Persistence.ps1", "*\Remove-PoshRat.ps1", "*\Remove-Update.ps1", "*\Run-EXEonRemote.ps1", "*\Schtasks-Backdoor.ps1", "*\Set-DCShadowPermissions.ps1", "*\Set-MacAttribute.ps1", "*\Set-RemotePSRemoting.ps1", "*\Set-RemoteWMI.ps1", "*\Set-Wallpaper.ps1", "*\Show-TargetScreen.ps1", "*\Speak.ps1", "*\Start-CaptureServer.ps1", "*\Start-WebcamRecorder.ps1", "*\StringToBase64.ps1", "*\TexttoExe.ps1", "*\Veeam-Get-Creds.ps1", "*\VolumeShadowCopyTools.ps1", "*\WinPwn.ps1", "*\WSUSpendu.ps1")) or 
 (action_file_name contains "Invoke-Sharp" and 
 action_file_name contains ".ps1")))