config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\Software\Microsoft\Windows\CurrentVersion\Run*", "*\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run*", "*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*")) and 
 ((action_registry_value_name in ("*powershell*", "*pwsh *", "*FromBase64String*", "*.DownloadFile(*", "*.DownloadString(*", "* -w hidden *", "* -w 1 *", "*-windowstyle hidden*", "*-window hidden*", "* -nop *", "* -encodedcommand *", "*-ExecutionPolicy Bypass*", "*Invoke-Expression*", "*IEX (*", "*Invoke-Command*", "*ICM -*", "*Invoke-WebRequest*", "*IWR *", "*Invoke-RestMethod*", "*IRM *", "* -noni *", "* -noninteractive *")) or 
 (action_registry_data in ("*powershell*", "*pwsh *", "*FromBase64String*", "*.DownloadFile(*", "*.DownloadString(*", "* -w hidden *", "* -w 1 *", "*-windowstyle hidden*", "*-window hidden*", "* -nop *", "* -encodedcommand *", "*-ExecutionPolicy Bypass*", "*Invoke-Expression*", "*IEX (*", "*Invoke-Command*", "*ICM -*", "*Invoke-WebRequest*", "*IWR *", "*Invoke-RestMethod*", "*IRM *", "* -noni *", "* -noninteractive *")))))