diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 028d373..983a76c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -301,7 +301,7 @@
 			<Image condition="image">net1.exe</Image> <!--Windows: Launched by "net.exe", but it may not detect connections either -->
 			<Image condition="image">notepad.exe</Image> <!--Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">nslookup.exe</Image> <!--Windows: Retrieve data over DNS -->
-			<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
+			<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
 			<Image condition="image">powershell_ise.exe</Image> <!--Windows: PowerShell interface-->
 			<Image condition="image">qprocess.exe</Image> <!--Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ] -->
 			<Image condition="image">qwinsta.exe</Image> <!--Windows: Query remote sessions | Credit @ion-storm -->
@@ -827,6 +827,17 @@
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.wsc</TargetFilename> <!--Scripting | Credit @bartblaze -->
 			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Word potentially with macro -->
+			<TargetFilename condition="end with">.docx</TargetFilename> <!--Office Word potentially with macro -->
+			<TargetFilename condition="end with">.xls</TargetFilename> <!--Office Excel potentially with macro -->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Excel potentially with macro -->
+			<TargetFilename condition="end with">.xlsx</TargetFilename> <!--Office Excel potentially with macro -->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office PowerPoint potentially with macro -->
+			<TargetFilename condition="end with">.pptx</TargetFilename> <!--Office PowerPoint potentially with macro -->
+			<TargetFilename condition="end with">.rtf</TargetFilename> <!--RTF file potentially with exploitation -->
+			<TargetFilename condition="end with">.pdf</TargetFilename> <!--PDF file potentially with exploitation -->
+			<TargetFilename condition="end with">.zip</TargetFilename> <!--ZIP file potentially with delivering malicious files -->
+			<TargetFilename condition="end with">.7z</TargetFilename> <!--7-ZIP file potentially with delivering malicious files -->
 		</FileCreateStreamHash>
 
 	<RuleGroup name="" groupRelation="or">
