def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\sqlservr.exe"),
            "VEEAMSQL" in event.deep_get("ParentCommandLine", default=""),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                                    event.deep_get("Image", default="").endswith("\\wsl.exe"),
                                    event.deep_get("Image", default="").endswith("\\wt.exe"),
                                ]
                            ),
                            any(
                                [
                                    "-ex " in event.deep_get("CommandLine", default=""),
                                    "bypass" in event.deep_get("CommandLine", default=""),
                                    "cscript" in event.deep_get("CommandLine", default=""),
                                    "DownloadString" in event.deep_get("CommandLine", default=""),
                                    "http://" in event.deep_get("CommandLine", default=""),
                                    "https://" in event.deep_get("CommandLine", default=""),
                                    "mshta" in event.deep_get("CommandLine", default=""),
                                    "regsvr32" in event.deep_get("CommandLine", default=""),
                                    "rundll32" in event.deep_get("CommandLine", default=""),
                                    "wscript" in event.deep_get("CommandLine", default=""),
                                    "copy " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\net.exe"),
                            event.deep_get("Image", default="").endswith("\\net1.exe"),
                            event.deep_get("Image", default="").endswith("\\netstat.exe"),
                            event.deep_get("Image", default="").endswith("\\nltest.exe"),
                            event.deep_get("Image", default="").endswith("\\ping.exe"),
                            event.deep_get("Image", default="").endswith("\\tasklist.exe"),
                            event.deep_get("Image", default="").endswith("\\whoami.exe"),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
