config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\rundll32.exe", "*\cscript.exe", "*\wscript.exe", "*\wmiprvse.exe", "*\regsvr32.exe")) and 
 (action_process_image_path in ("*\schtasks.exe", "*\nslookup.exe", "*\certutil.exe", "*\bitsadmin.exe", "*\mshta.exe"))) and 
 (not 
 (action_process_cwd contains "\ccmcache\" or 
 (actor_process_command_line in ("*\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1*", "*\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1*", "*\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1*", "*\nessus_*")) or 
 action_process_image_command_line contains "\nessus_" or 
 (actor_process_image_path contains "\mshta.exe" and 
 action_process_image_path contains "\mshta.exe" and 
 (actor_process_command_line contains "C:\MEM_Configmgr_" and 
 actor_process_command_line contains "\splash.hta" and 
 actor_process_command_line contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and 
 (action_process_image_command_line contains "C:\MEM_Configmgr_" and 
 action_process_image_command_line contains "\SMSSETUP\BIN\" and 
 action_process_image_command_line contains "\autorun.hta" and 
 action_process_image_command_line contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}"))))))