def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\QuarksPwDump.exe"),
            event.deep_get("CommandLine", default="")
            in [
                " -dhl",
                " --dump-hash-local",
                " -dhdc",
                " --dump-hash-domain-cached",
                " --dump-bitlocker",
                " -dhd ",
                " --dump-hash-domain ",
                "--ntds-file",
            ],
        ]
    ):
        return True
    return False
