import re


def rule(event):
    if all(
        [
            "aspera" in event.deep_get("ParentImage", default=""),
            "\\ruby" in event.deep_get("ParentImage", default=""),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell_ise.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    any(
                                        [
                                            " echo " in event.deep_get("CommandLine", default=""),
                                            "-dumpmode"
                                            in event.deep_get("CommandLine", default=""),
                                            "-ssh" in event.deep_get("CommandLine", default=""),
                                            ".dmp" in event.deep_get("CommandLine", default=""),
                                            "add-MpPreference"
                                            in event.deep_get("CommandLine", default=""),
                                            "adscredentials"
                                            in event.deep_get("CommandLine", default=""),
                                            "bitsadmin"
                                            in event.deep_get("CommandLine", default=""),
                                            "certutil" in event.deep_get("CommandLine", default=""),
                                            "csvhost.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "DownloadFile"
                                            in event.deep_get("CommandLine", default=""),
                                            "DownloadString"
                                            in event.deep_get("CommandLine", default=""),
                                            "dsquery" in event.deep_get("CommandLine", default=""),
                                            "ekern.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "FromBase64String"
                                            in event.deep_get("CommandLine", default=""),
                                            "iex " in event.deep_get("CommandLine", default=""),
                                            "iex(" in event.deep_get("CommandLine", default=""),
                                            "Invoke-Expression"
                                            in event.deep_get("CommandLine", default=""),
                                            "Invoke-WebRequest"
                                            in event.deep_get("CommandLine", default=""),
                                            "localgroup administrators"
                                            in event.deep_get("CommandLine", default=""),
                                            "o365accountconfiguration"
                                            in event.deep_get("CommandLine", default=""),
                                            "samaccountname="
                                            in event.deep_get("CommandLine", default=""),
                                            "set-MpPreference"
                                            in event.deep_get("CommandLine", default=""),
                                            "svhost.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "System.IO.Compression"
                                            in event.deep_get("CommandLine", default=""),
                                            "System.IO.MemoryStream"
                                            in event.deep_get("CommandLine", default=""),
                                            "usoprivate"
                                            in event.deep_get("CommandLine", default=""),
                                            "usoshared"
                                            in event.deep_get("CommandLine", default=""),
                                            "whoami" in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    any(
                                        [
                                            re.match(
                                                r"[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}",
                                                event.deep_get("CommandLine", default=""),
                                            ),
                                            re.match(
                                                r"net\\s+user",
                                                event.deep_get("CommandLine", default=""),
                                            ),
                                            re.match(
                                                r"net\\s+group",
                                                event.deep_get("CommandLine", default=""),
                                            ),
                                            re.match(
                                                r"query\\s+session",
                                                event.deep_get("CommandLine", default=""),
                                            ),
                                        ]
                                    ),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "lsass" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    "procdump" in event.deep_get("CommandLine", default=""),
                                    "tasklist" in event.deep_get("CommandLine", default=""),
                                    "findstr" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("\\wget.exe"),
                                    "http" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("\\curl.exe"),
                                    "http" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "E:jscript" in event.deep_get("CommandLine", default=""),
                                    "e:vbscript" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "localgroup Administrators"
                                    in event.deep_get("CommandLine", default=""),
                                    "/add" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "net" in event.deep_get("CommandLine", default=""),
                                    "user" in event.deep_get("CommandLine", default=""),
                                    "/add" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    all(
                                        [
                                            "reg add" in event.deep_get("CommandLine", default=""),
                                            "DisableAntiSpyware"
                                            in event.deep_get("CommandLine", default=""),
                                            "\\Microsoft\\Windows Defender"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    all(
                                        [
                                            "reg add" in event.deep_get("CommandLine", default=""),
                                            "DisableRestrictedAdmin"
                                            in event.deep_get("CommandLine", default=""),
                                            "CurrentControlSet\\Control\\Lsa"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                            all(
                                [
                                    "wmic" in event.deep_get("CommandLine", default=""),
                                    "process call create"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "wmic" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "shadowcopy" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "vssadmin" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "shadows" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "wbadmin" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "catalog" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
