def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\esentutl.exe"),
                            event.deep_get("OriginalFileName", default="") == "\\esentutl.exe",
                        ]
                    ),
                    any(
                        [
                            "vss" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    " -m " in event.deep_get("CommandLine", default=""),
                                    " /m " in event.deep_get("CommandLine", default=""),
                                    " –m " in event.deep_get("CommandLine", default=""),
                                    " —m " in event.deep_get("CommandLine", default=""),
                                    " ―m " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    " -y " in event.deep_get("CommandLine", default=""),
                                    " /y " in event.deep_get("CommandLine", default=""),
                                    " –y " in event.deep_get("CommandLine", default=""),
                                    " —y " in event.deep_get("CommandLine", default=""),
                                    " ―y " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "\\config\\RegBack\\sam" in event.deep_get("CommandLine", default=""),
                    "\\config\\RegBack\\security" in event.deep_get("CommandLine", default=""),
                    "\\config\\RegBack\\system" in event.deep_get("CommandLine", default=""),
                    "\\config\\sam" in event.deep_get("CommandLine", default=""),
                    "\\config\\security" in event.deep_get("CommandLine", default=""),
                    "\\config\\system " in event.deep_get("CommandLine", default=""),
                    "\\repair\\sam" in event.deep_get("CommandLine", default=""),
                    "\\repair\\security" in event.deep_get("CommandLine", default=""),
                    "\\repair\\system" in event.deep_get("CommandLine", default=""),
                    "\\windows\\ntds\\ntds.dit" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
