config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\WindowsTerminal.exe", "*\wt.exe")) and 
 ((action_process_image_path in ("*\rundll32.exe", "*\regsvr32.exe", "*\certutil.exe", "*\cscript.exe", "*\wscript.exe", "*\csc.exe")) or 
 (action_process_image_path in ("*C:\Users\Public\*", "*\Downloads\*", "*\Desktop\*", "*\AppData\Local\Temp\*", "*\Windows\TEMP\*")) or 
 (action_process_image_command_line in ("* iex *", "* icm*", "*Invoke-*", "*Import-Module *", "*ipmo *", "*DownloadString(*", "* /c *", "* /k *", "* /r *")))) and 
 (not 
 ((action_process_image_command_line contains "Import-Module" and 
 action_process_image_command_line contains "Microsoft.VisualStudio.DevShell.dll" and 
 action_process_image_command_line contains "Enter-VsDevShell") or 
 (action_process_image_command_line contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and 
 action_process_image_command_line contains "\LocalState\settings.json") or 
 (action_process_image_command_line contains "C:\Program Files\Microsoft Visual Studio\" and 
 action_process_image_command_line contains "\Common7\Tools\VsDevCmd.bat")))))