import re


def rule(event):
    if all(
        [
            any(
                [
                    "manageengine" in event.deep_get("ParentImage", default=""),
                    "ServiceDesk" in event.deep_get("ParentImage", default=""),
                ]
            ),
            "\\java" in event.deep_get("ParentImage", default=""),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell_ise.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    any(
                                        [
                                            " echo " in event.deep_get("CommandLine", default=""),
                                            "-dumpmode"
                                            in event.deep_get("CommandLine", default=""),
                                            "-ssh" in event.deep_get("CommandLine", default=""),
                                            ".dmp" in event.deep_get("CommandLine", default=""),
                                            "add-MpPreference"
                                            in event.deep_get("CommandLine", default=""),
                                            "adscredentials"
                                            in event.deep_get("CommandLine", default=""),
                                            "bitsadmin"
                                            in event.deep_get("CommandLine", default=""),
                                            "certutil" in event.deep_get("CommandLine", default=""),
                                            "csvhost.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "DownloadFile"
                                            in event.deep_get("CommandLine", default=""),
                                            "DownloadString"
                                            in event.deep_get("CommandLine", default=""),
                                            "dsquery" in event.deep_get("CommandLine", default=""),
                                            "ekern.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "FromBase64String"
                                            in event.deep_get("CommandLine", default=""),
                                            "iex " in event.deep_get("CommandLine", default=""),
                                            "iex(" in event.deep_get("CommandLine", default=""),
                                            "Invoke-Expression"
                                            in event.deep_get("CommandLine", default=""),
                                            "Invoke-WebRequest"
                                            in event.deep_get("CommandLine", default=""),
                                            "localgroup administrators"
                                            in event.deep_get("CommandLine", default=""),
                                            "o365accountconfiguration"
                                            in event.deep_get("CommandLine", default=""),
                                            "samaccountname="
                                            in event.deep_get("CommandLine", default=""),
                                            "set-MpPreference"
                                            in event.deep_get("CommandLine", default=""),
                                            "svhost.exe"
                                            in event.deep_get("CommandLine", default=""),
                                            "System.IO.Compression"
                                            in event.deep_get("CommandLine", default=""),
                                            "System.IO.MemoryStream"
                                            in event.deep_get("CommandLine", default=""),
                                            "usoprivate"
                                            in event.deep_get("CommandLine", default=""),
                                            "usoshared"
                                            in event.deep_get("CommandLine", default=""),
                                            "whoami" in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    re.match(
                                        r"[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}",
                                        event.deep_get("CommandLine", default=""),
                                    ),
                                    re.match(
                                        r"net\\s+user", event.deep_get("CommandLine", default="")
                                    ),
                                    re.match(
                                        r"net\\s+group", event.deep_get("CommandLine", default="")
                                    ),
                                    re.match(
                                        r"query\\ssession",
                                        event.deep_get("CommandLine", default=""),
                                    ),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "lsass" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    "procdump" in event.deep_get("CommandLine", default=""),
                                    "tasklist" in event.deep_get("CommandLine", default=""),
                                    "findstr" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("\\wget.exe"),
                                    "http" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("\\curl.exe"),
                                    "http" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "E:jscript" in event.deep_get("CommandLine", default=""),
                                    "e:vbscript" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "localgroup Administrators"
                                    in event.deep_get("CommandLine", default=""),
                                    "/add" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "net" in event.deep_get("CommandLine", default=""),
                                    "user" in event.deep_get("CommandLine", default=""),
                                    "/add" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    all(
                                        [
                                            "reg add" in event.deep_get("CommandLine", default=""),
                                            "DisableAntiSpyware"
                                            in event.deep_get("CommandLine", default=""),
                                            "\\Microsoft\\Windows Defender"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    all(
                                        [
                                            "reg add" in event.deep_get("CommandLine", default=""),
                                            "DisableRestrictedAdmin"
                                            in event.deep_get("CommandLine", default=""),
                                            "CurrentControlSet\\Control\\Lsa"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                            all(
                                [
                                    "wmic" in event.deep_get("CommandLine", default=""),
                                    "process call create"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "wmic" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "shadowcopy" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "vssadmin" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "shadows" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    "wbadmin" in event.deep_get("CommandLine", default=""),
                                    "delete" in event.deep_get("CommandLine", default=""),
                                    "catalog" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not all(
                [
                    "download.microsoft.com" in event.deep_get("CommandLine", default=""),
                    "manageengine.com" in event.deep_get("CommandLine", default=""),
                    "msiexec" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
