def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith(
                        ":\\ProgramData\\adobe\\Adobe.exe"
                    ),
                    event.deep_get("Image", default="").endswith(
                        ":\\ProgramData\\oracle\\local.exe"
                    ),
                    event.deep_get("Image", default="").endswith("\\revshell.exe"),
                    event.deep_get("Image", default="").endswith("\\infopagesbackup\\ncat.exe"),
                    event.deep_get("Image", default="").endswith(
                        ":\\ProgramData\\comms\\comms.exe"
                    ),
                ]
            ),
            all(
                [
                    "-ExecutionPolicy Bypass -File" in event.deep_get("CommandLine", default=""),
                    "\\msf.ps1" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "infopagesbackup" in event.deep_get("CommandLine", default=""),
                    "\\ncat" in event.deep_get("CommandLine", default=""),
                    "-e cmd.exe" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill"
                    in event.deep_get("CommandLine", default=""),
                    "-nop -w hidden -c $k=new-object" in event.deep_get("CommandLine", default=""),
                    "[Net.CredentialCache]::DefaultCredentials;IEX "
                    in event.deep_get("CommandLine", default=""),
                    " -nop -w hidden -c $m=new-object net.webclient;$m"
                    in event.deep_get("CommandLine", default=""),
                    "-noninteractive -executionpolicy bypass whoami"
                    in event.deep_get("CommandLine", default=""),
                    "-noninteractive -executionpolicy bypass netstat -a"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
            "L3NlcnZlcj1" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
