config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_module_path in ("*\dbghelp.dll", "*\dbgcore.dll")) and 
 (actor_process_image_path in ("*\bash.exe", "*\cmd.exe", "*\cscript.exe", "*\dnx.exe", "*\excel.exe", "*\monitoringhost.exe", "*\msbuild.exe", "*\mshta.exe", "*\outlook.exe", "*\powerpnt.exe", "*\regsvcs.exe", "*\rundll32.exe", "*\sc.exe", "*\scriptrunner.exe", "*\winword.exe", "*\wmic.exe", "*\wscript.exe"))) and 
 (not 
 ((actor_process_command_line contains "C:\WINDOWS\WinSxS\" and 
 actor_process_command_line contains "\TiWorker.exe -Embedding") or 
 (actor_process_image_path contains "\svchost.exe" and 
 (actor_process_command_line in ("*-k LocalServiceNetworkRestricted", "*-k WerSvcGroup"))) or 
 (actor_process_image_path contains "\rundll32.exe" and 
 (actor_process_command_line in ("*/d srrstr.dll,ExecuteScheduledSPPCreation*", "*aepdu.dll,AePduRunUpdate*", "*shell32.dll,OpenAs_RunDL*", "*Windows.Storage.ApplicationData.dll,CleanupTemporaryState*")))))))