config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "-nop" and 
 action_process_image_command_line contains " -w " and 
 action_process_image_command_line contains "hidden" and 
 action_process_image_command_line contains " -c " and 
 action_process_image_command_line contains "[Convert]::FromBase64String") or 
 (action_process_image_command_line contains " -w " and 
 action_process_image_command_line contains "hidden" and 
 action_process_image_command_line contains "-noni" and 
 action_process_image_command_line contains "-nop" and 
 action_process_image_command_line contains " -c " and 
 action_process_image_command_line contains "iex" and 
 action_process_image_command_line contains "New-Object") or 
 (action_process_image_command_line contains " -w " and 
 action_process_image_command_line contains "hidden" and 
 action_process_image_command_line contains "-ep" and 
 action_process_image_command_line contains "bypass" and 
 action_process_image_command_line contains "-Enc") or 
 (action_process_image_command_line contains "powershell" and 
 action_process_image_command_line contains "reg" and 
 action_process_image_command_line contains "add" and 
 action_process_image_command_line contains "\software\") or 
 (action_process_image_command_line contains "bypass" and 
 action_process_image_command_line contains "-noprofile" and 
 action_process_image_command_line contains "-windowstyle" and 
 action_process_image_command_line contains "hidden" and 
 action_process_image_command_line contains "new-object" and 
 action_process_image_command_line contains "system.net.webclient" and 
 action_process_image_command_line contains ".download") or 
 (action_process_image_command_line contains "iex" and 
 action_process_image_command_line contains "New-Object" and 
 action_process_image_command_line contains "Net.WebClient" and 
 action_process_image_command_line contains ".Download")) and 
 (not 
 (action_process_image_command_line in ("*(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1*", "*Write-ChocolateyWarning*")))))