def rule(event):
    if any(
        [
            any(
                [
                    any(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\NTDSDump.exe"),
                                    event.deep_get("Image", default="").endswith(
                                        "\\NTDSDumpEx.exe"
                                    ),
                                ]
                            ),
                            all(
                                [
                                    "ntds.dit" in event.deep_get("CommandLine", default=""),
                                    "system.hiv" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            "NTDSgrab.ps1" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "ac i ntds" in event.deep_get("CommandLine", default=""),
                            "create full" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "/c copy " in event.deep_get("CommandLine", default=""),
                            "\\windows\\ntds\\ntds.dit"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "activate instance ntds" in event.deep_get("CommandLine", default=""),
                            "create full" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "powershell" in event.deep_get("CommandLine", default=""),
                            "ntds.dit" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    "ntds.dit" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            any(
                                [
                                    "\\apache" in event.deep_get("ParentImage", default=""),
                                    "\\tomcat" in event.deep_get("ParentImage", default=""),
                                    "\\AppData\\" in event.deep_get("ParentImage", default=""),
                                    "\\Temp\\" in event.deep_get("ParentImage", default=""),
                                    "\\Public\\" in event.deep_get("ParentImage", default=""),
                                    "\\PerfLogs\\" in event.deep_get("ParentImage", default=""),
                                ]
                            ),
                            any(
                                [
                                    "\\apache" in event.deep_get("Image", default=""),
                                    "\\tomcat" in event.deep_get("Image", default=""),
                                    "\\AppData\\" in event.deep_get("Image", default=""),
                                    "\\Temp\\" in event.deep_get("Image", default=""),
                                    "\\Public\\" in event.deep_get("Image", default=""),
                                    "\\PerfLogs\\" in event.deep_get("Image", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
