import re


def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            "PetitPotam" in event.deep_get("Image", default=""),
                            "RottenPotato" in event.deep_get("Image", default=""),
                            "HotPotato" in event.deep_get("Image", default=""),
                            "JuicyPotato" in event.deep_get("Image", default=""),
                            "\\just_dce_" in event.deep_get("Image", default=""),
                            "Juicy Potato" in event.deep_get("Image", default=""),
                            "\\temp\\rot.exe" in event.deep_get("Image", default=""),
                            "\\Potato.exe" in event.deep_get("Image", default=""),
                            "\\SpoolSample.exe" in event.deep_get("Image", default=""),
                            "\\Responder.exe" in event.deep_get("Image", default=""),
                            "\\smbrelayx" in event.deep_get("Image", default=""),
                            "\\ntlmrelayx" in event.deep_get("Image", default=""),
                            "\\LocalPotato" in event.deep_get("Image", default=""),
                        ]
                    ),
                    any(
                        [
                            "Invoke-Tater" in event.deep_get("CommandLine", default=""),
                            " smbrelay" in event.deep_get("CommandLine", default=""),
                            " ntlmrelay" in event.deep_get("CommandLine", default=""),
                            "cme smb " in event.deep_get("CommandLine", default=""),
                            " /ntlm:NTLMhash " in event.deep_get("CommandLine", default=""),
                            "Invoke-PetitPotam" in event.deep_get("CommandLine", default=""),
                            re.match(
                                r"^.*.exe -t .* -p .*$", event.deep_get("CommandLine", default="")
                            ),
                        ]
                    ),
                    all(
                        [
                            '.exe -c "{' in event.deep_get("CommandLine", default=""),
                            event.deep_get("CommandLine", default="").endswith('}" -z'),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    "HotPotatoes6" in event.deep_get("Image", default=""),
                    "HotPotatoes7" in event.deep_get("Image", default=""),
                    "HotPotatoes " in event.deep_get("Image", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
