config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "Software\Microsoft\Windows\CurrentVersion" and 
 ((action_registry_value_name in ("*vbscript:*", "*jscript:*", "*mshtml,*", "*RunHTMLApplication*", "*Execute(*", "*CreateObject*", "*window.close*")) or 
 (action_registry_data in ("*vbscript:*", "*jscript:*", "*mshtml,*", "*RunHTMLApplication*", "*Execute(*", "*CreateObject*", "*window.close*")))) and 
 (not 
 (action_registry_key_name contains "Software\Microsoft\Windows\CurrentVersion\Run" or 
 (actor_process_image_path contains "\msiexec.exe" and 
 action_registry_key_name contains "\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\" and 
 ((action_registry_value_name in ("*\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll*", "*<\Microsoft.mshtml,fileVersion=*", "*_mshtml_dll_*", "*<\Microsoft.mshtml,culture=*")) or 
 (action_registry_data in ("*\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll*", "*<\Microsoft.mshtml,fileVersion=*", "*_mshtml_dll_*", "*<\Microsoft.mshtml,culture=*"))))))))