config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "javascript:" and 
 action_process_image_command_line contains ".RegisterXLL") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "OpenURLA") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "FileProtocolHandler") or 
 (action_process_image_command_line contains "zipfldr.dll" and 
 action_process_image_command_line contains "RouteTheCall") or 
 (action_process_image_command_line contains "shell32.dll" and 
 action_process_image_command_line contains "Control_RunDLL") or 
 (action_process_image_command_line contains "shell32.dll" and 
 action_process_image_command_line contains "ShellExec_RunDLL") or 
 (action_process_image_command_line contains "mshtml.dll" and 
 action_process_image_command_line contains "PrintHTML") or 
 (action_process_image_command_line contains "advpack.dll" and 
 action_process_image_command_line contains "LaunchINFSection") or 
 (action_process_image_command_line contains "advpack.dll" and 
 action_process_image_command_line contains "RegisterOCX") or 
 (action_process_image_command_line contains "ieadvpack.dll" and 
 action_process_image_command_line contains "LaunchINFSection") or 
 (action_process_image_command_line contains "ieadvpack.dll" and 
 action_process_image_command_line contains "RegisterOCX") or 
 (action_process_image_command_line contains "ieframe.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "shdocvw.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "syssetup.dll" and 
 action_process_image_command_line contains "SetupInfObjectInstallAction") or 
 (action_process_image_command_line contains "setupapi.dll" and 
 action_process_image_command_line contains "InstallHinfSection") or 
 (action_process_image_command_line contains "pcwutl.dll" and 
 action_process_image_command_line contains "LaunchApplication") or 
 (action_process_image_command_line contains "dfshim.dll" and 
 action_process_image_command_line contains "ShOpenVerbApplication") or 
 (action_process_image_command_line contains "dfshim.dll" and 
 action_process_image_command_line contains "ShOpenVerbShortcut") or 
 (action_process_image_command_line contains "scrobj.dll" and 
 action_process_image_command_line contains "GenerateTypeLib" and 
 action_process_image_command_line contains "http") or 
 (action_process_image_command_line contains "shimgvw.dll" and 
 action_process_image_command_line contains "ImageView_Fullscreen" and 
 action_process_image_command_line contains "http") or 
 (action_process_image_command_line contains "comsvcs.dll" and 
 action_process_image_command_line contains "MiniDump")) and 
 (not 
 (action_process_image_command_line contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or 
 (actor_process_image_path = "C:\Windows\System32\control.exe" and 
 actor_process_command_line contains ".cpl" and 
 (action_process_image_command_line contains "Shell32.dll" and 
 action_process_image_command_line contains "Control_RunDLL" and 
 action_process_image_command_line contains ".cpl")) or 
 (actor_process_image_path = "C:\Windows\System32\control.exe" and 
 action_process_image_command_line contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and 
 action_process_image_command_line contains ".cpl\",")))))