config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*\powershell.exe", "*\pwsh.exe")) and 
 (action_process_image_command_line in ("* -windowstyle h *", "* -windowstyl h*", "* -windowsty h*", "* -windowst h*", "* -windows h*", "* -windo h*", "* -wind h*", "* -win h*", "* -wi h*", "* -win h *", "* -win hi *", "* -win hid *", "* -win hidd *", "* -win hidde *", "* -NoPr *", "* -NoPro *", "* -NoProf *", "* -NoProfi *", "* -NoProfil *", "* -nonin *", "* -nonint *", "* -noninte *", "* -noninter *", "* -nonintera *", "* -noninterac *", "* -noninteract *", "* -noninteracti *", "* -noninteractiv *", "* -ec *", "* -encodedComman *", "* -encodedComma *", "* -encodedComm *", "* -encodedCom *", "* -encodedCo *", "* -encodedC *", "* -encoded *", "* -encode *", "* -encod *", "* -enco *", "* -en *", "* -executionpolic *", "* -executionpoli *", "* -executionpol *", "* -executionpo *", "* -executionp *", "* -execution bypass*", "* -executio bypass*", "* -executi bypass*", "* -execut bypass*", "* -execu bypass*", "* -exec bypass*", "* -exe bypass*", "* -ex bypass*", "* -ep bypass*", "* /windowstyle h *", "* /windowstyl h*", "* /windowsty h*", "* /windowst h*", "* /windows h*", "* /windo h*", "* /wind h*", "* /win h*", "* /wi h*", "* /win h *", "* /win hi *", "* /win hid *", "* /win hidd *", "* /win hidde *", "* /NoPr *", "* /NoPro *", "* /NoProf *", "* /NoProfi *", "* /NoProfil *", "* /nonin *", "* /nonint *", "* /noninte *", "* /noninter *", "* /nonintera *", "* /noninterac *", "* /noninteract *", "* /noninteracti *", "* /noninteractiv *", "* /ec *", "* /encodedComman *", "* /encodedComma *", "* /encodedComm *", "* /encodedCom *", "* /encodedCo *", "* /encodedC *", "* /encoded *", "* /encode *", "* /encod *", "* /enco *", "* /en *", "* /executionpolic *", "* /executionpoli *", "* /executionpol *", "* /executionpo *", "* /executionp *", "* /execution bypass*", "* /executio bypass*", "* /executi bypass*", "* /execut bypass*", "* /execu bypass*", "* /exec bypass*", "* /exe bypass*", "* /ex bypass*", "* /ep bypass*"))))