def rule(event):
    if any(
        [
            all(
                [
                    "ldifde" in event.deep_get("CommandLine", default=""),
                    "-f -n" in event.deep_get("CommandLine", default=""),
                    "eprod.ldf" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "copy \\\\" in event.deep_get("CommandLine", default=""),
                    "c$" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            "\\aaaa\\procdump64.exe" in event.deep_get("CommandLine", default=""),
                            "\\aaaa\\netsess.exe" in event.deep_get("CommandLine", default=""),
                            "\\aaaa\\7za.exe" in event.deep_get("CommandLine", default=""),
                            "\\c$\\aaaa\\" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
