def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\Rubeus.exe"),
            event.deep_get("OriginalFileName", default="") == "Rubeus.exe",
            event.deep_get("Description", default="") == "Rubeus",
            any(
                [
                    "asreproast " in event.deep_get("CommandLine", default=""),
                    "dump /service:krbtgt " in event.deep_get("CommandLine", default=""),
                    "dump /luid:0x" in event.deep_get("CommandLine", default=""),
                    "kerberoast " in event.deep_get("CommandLine", default=""),
                    "createnetonly /program:" in event.deep_get("CommandLine", default=""),
                    "ptt /ticket:" in event.deep_get("CommandLine", default=""),
                    "/impersonateuser:" in event.deep_get("CommandLine", default=""),
                    "renew /ticket:" in event.deep_get("CommandLine", default=""),
                    "asktgt /user:" in event.deep_get("CommandLine", default=""),
                    "harvest /interval:" in event.deep_get("CommandLine", default=""),
                    "s4u /user:" in event.deep_get("CommandLine", default=""),
                    "s4u /ticket:" in event.deep_get("CommandLine", default=""),
                    "hash /password:" in event.deep_get("CommandLine", default=""),
                    "golden /aes256:" in event.deep_get("CommandLine", default=""),
                    "silver /user:" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
