def rule(event):
    if all(
        [
            "copy " in event.deep_get("CommandLine", default=""),
            "/y " in event.deep_get("CommandLine", default=""),
            "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
            in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
