Rule {
	Process {
		Include OBJECT_NAME { -v cmd.exe }
		Include OBJECT_NAME { -v powershell.exe }
		Include OBJECT_NAME { -v powershell_ise.exe }

		# exclude admin groups
		Exclude AggregateMatch {
			Include GROUP_SID { -v "S-1-16-12288" }
            Include GROUP_SID { -v "S-1-16-16384" }
		}
	}
	Target {
		Match FILE {
			Include -access SET_REPARSE
		}
	}
}