def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("SourceImage", default="").endswith("\\Akagi.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Akagi64.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\atexec_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Certify.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Certipy.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\CoercedPotato.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\crackmapexec.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\CreateMiniDump.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\dcomexec_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\dpapi_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith(
                        "\\findDelegation_windows.exe"
                    ),
                    event.deep_get("SourceImage", default="").endswith("\\GetADUsers_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\GetNPUsers_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\getPac_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\getST_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\getTGT_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\GetUserSPNs_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\gmer.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\hashcat.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\htran.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\ifmap_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\impersonate.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Inveigh.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\LocalPotato.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\mimikatz_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\mimikatz.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\netview_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith(
                        "\\nmapAnswerMachine_windows.exe"
                    ),
                    event.deep_get("SourceImage", default="").endswith("\\opdump_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\PasswordDump.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Potato.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\PowerTool.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\PowerTool64.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\psexec_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\PurpleSharp.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\pypykatz.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\QuarksPwDump.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\rdp_check_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Rubeus.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SafetyKatz.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\sambaPipe_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SelectMyParent.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpChisel.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharPersist.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpEvtMute.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpImpersonation.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpLDAPmonitor.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpLdapWhoami.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpUp.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SharpView.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\smbclient_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\smbserver_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\sniff_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\sniffer_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\split_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SpoolSample.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\Stracciatella.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\SysmonEOP.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\temp\\rot.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\ticketer_windows.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\TruffleSnout.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASany_ofs.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASany.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASx64_ofs.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASx64.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASx86_ofs.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\winPEASx86.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\xordump.exe"),
                ]
            ),
            any(
                [
                    "\\goldenPac" in event.deep_get("SourceImage", default=""),
                    "\\just_dce_" in event.deep_get("SourceImage", default=""),
                    "\\karmaSMB" in event.deep_get("SourceImage", default=""),
                    "\\kintercept" in event.deep_get("SourceImage", default=""),
                    "\\LocalPotato" in event.deep_get("SourceImage", default=""),
                    "\\ntlmrelayx" in event.deep_get("SourceImage", default=""),
                    "\\rpcdump" in event.deep_get("SourceImage", default=""),
                    "\\samrdump" in event.deep_get("SourceImage", default=""),
                    "\\secretsdump" in event.deep_get("SourceImage", default=""),
                    "\\smbexec" in event.deep_get("SourceImage", default=""),
                    "\\smbrelayx" in event.deep_get("SourceImage", default=""),
                    "\\wmiexec" in event.deep_get("SourceImage", default=""),
                    "\\wmipersist" in event.deep_get("SourceImage", default=""),
                    "HotPotato" in event.deep_get("SourceImage", default=""),
                    "Juicy Potato" in event.deep_get("SourceImage", default=""),
                    "JuicyPotato" in event.deep_get("SourceImage", default=""),
                    "PetitPotam" in event.deep_get("SourceImage", default=""),
                    "RottenPotato" in event.deep_get("SourceImage", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
