config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*AddSecurityPackage*", "*AdjustTokenPrivileges*", "*Advapi32*", "*CloseHandle*", "*CreateProcessWithToken*", "*CreatePseudoConsole*", "*CreateRemoteThread*", "*CreateThread*", "*CreateUserThread*", "*DangerousGetHandle*", "*DuplicateTokenEx*", "*EnumerateSecurityPackages*", "*FreeHGlobal*", "*FreeLibrary*", "*GetDelegateForFunctionPointer*", "*GetLogonSessionData*", "*GetModuleHandle*", "*GetProcAddress*", "*GetProcessHandle*", "*GetTokenInformation*", "*ImpersonateLoggedOnUser*", "*kernel32*", "*LoadLibrary*", "*memcpy*", "*MiniDumpWriteDump*", "*ntdll*", "*OpenDesktop*", "*OpenProcess*", "*OpenProcessToken*", "*OpenThreadToken*", "*OpenWindowStation*", "*PtrToString*", "*QueueUserApc*", "*ReadProcessMemory*", "*RevertToSelf*", "*RtlCreateUserThread*", "*secur32*", "*SetThreadToken*", "*VirtualAlloc*", "*VirtualFree*", "*VirtualProtect*", "*WaitForSingleObject*", "*WriteInt32*", "*WriteProcessMemory*", "*ZeroFreeGlobalAllocUnicode*")) and 
 (not 
 ((action_process_image_path contains "\MpCmdRun.exe" and 
 action_process_image_command_line contains "GetLoadLibraryWAddress32") or 
 (actor_process_image_path contains "\CompatTelRunner.exe" and 
 (action_process_image_command_line in ("*FreeHGlobal*", "*PtrToString*", "*kernel32*", "*CloseHandle*")))))))