config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Environment\" and 
 (((action_registry_value_name in ("powershell", "pwsh")) or 
 (action_registry_data in ("powershell", "pwsh"))) or 
 ((action_registry_value_name in ("*\AppData\Local\Temp\*", "*C:\Users\Public\*", "*TVqQAAMAAAAEAAAA*", "*TVpQAAIAAAAEAA8A*", "*TVqAAAEAAAAEABAA*", "*TVoAAAAAAAAAAAAA*", "*TVpTAQEAAAAEAAAA*", "*SW52b2tlL*", "*ludm9rZS*", "*JbnZva2Ut*", "*SQBuAHYAbwBrAGUALQ*", "*kAbgB2AG8AawBlAC0A*", "*JAG4AdgBvAGsAZQAtA*")) or 
 (action_registry_data in ("*\AppData\Local\Temp\*", "*C:\Users\Public\*", "*TVqQAAMAAAAEAAAA*", "*TVpQAAIAAAAEAA8A*", "*TVqAAAEAAAAEABAA*", "*TVoAAAAAAAAAAAAA*", "*TVpTAQEAAAAEAAAA*", "*SW52b2tlL*", "*ludm9rZS*", "*JbnZva2Ut*", "*SQBuAHYAbwBrAGUALQ*", "*kAbgB2AG8AawBlAC0A*", "*JAG4AdgBvAGsAZQAtA*"))) or 
 ((action_registry_value_name in ("SUVY*", "SQBFAF*", "SQBuAH*", "cwBhA*", "aWV4*", "aQBlA*", "R2V0*", "dmFy*", "dgBhA*", "dXNpbm*", "H4sIA*", "Y21k*", "cABhAH*", "Qzpc*", "Yzpc*")) or 
 (action_registry_data in ("SUVY*", "SQBFAF*", "SQBuAH*", "cwBhA*", "aWV4*", "aQBlA*", "R2V0*", "dmFy*", "dgBhA*", "dXNpbm*", "H4sIA*", "Y21k*", "cABhAH*", "Qzpc*", "Yzpc*"))))))