config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_registry_key_name contains "\SOFTWARE\Classes\." and 
 action_registry_key_name contains "\PersistentHandler") or 
 (action_registry_key_name contains "\SOFTWARE\Classes\CLSID" and 
 action_registry_key_name contains "\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}")) and 
 (not 
 ((action_registry_key_name in ("*\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\*", "*\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\*", "*\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\*", "*\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\*", "*\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\*", "*\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\*", "*\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\*", "*\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\*", "*\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\*", "*\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\*", "*\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\*", "*\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\*", "*\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\*", "*\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\*", "*\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\*", "*\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\*", "*\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\*", "*\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\*", "*\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\*", "*\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\*", "*\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\*", "*\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\*", "*\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\*", "*\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\*", "*\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\*", "*\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\*", "*\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}*", "*\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\*")) or 
 (actor_process_image_path in ("C:\Windows\System32\*", "C:\Program Files (x86)\*", "C:\Program Files\*"))))))