config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_path in ("*\CVE-202*", "*\CVE202*")) or 
 (action_process_image_path in ("*\poc.exe", "*\artifact.exe", "*\artifact64.exe", "*\artifact_protected.exe", "*\artifact32.exe", "*\artifact32big.exe", "*obfuscated.exe", "*obfusc.exe", "*\meterpreter"))) or 
 (action_process_image_command_line in ("*inject.ps1*", "*Invoke-CVE*", "*pupy.ps1*", "*payload.ps1*", "*beacon.ps1*", "*PowerView.ps1*", "*bypass.ps1*", "*obfuscated.ps1*", "*obfusc.ps1*", "*obfus.ps1*", "*obfs.ps1*", "*evil.ps1*", "*MiniDogz.ps1*", "*_enc.ps1*", "*\shell.ps1*", "*\rshell.ps1*", "*revshell.ps1*", "*\av.ps1*", "*\av_test.ps1*", "*adrecon.ps1*", "*mimikatz.ps1*", "*\PowerUp_*", "*powerup.ps1*", "*\Temp\a.ps1*", "*\Temp\p.ps1*", "*\Temp\1.ps1*", "*Hound.ps1*", "*encode.ps1*", "*powercat.ps1*"))))