import re


def rule(event):
    if all(
        [
            event.deep_get("IntegrityLevel", default="") in ["System", "S-1-16-16384"],
            any(
                [
                    "AUTHORI" in event.deep_get("User", default=""),
                    "AUTORI" in event.deep_get("User", default=""),
                ]
            ),
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\calc.exe"),
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\forfiles.exe"),
                            event.deep_get("Image", default="").endswith("\\hh.exe"),
                            event.deep_get("Image", default="").endswith("\\mshta.exe"),
                            event.deep_get("Image", default="").endswith("\\ping.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                        ]
                    ),
                    re.match(r"net\\s+user\\s+", event.deep_get("CommandLine", default="")),
                    any(
                        [
                            " -NoP " in event.deep_get("CommandLine", default=""),
                            " -W Hidden " in event.deep_get("CommandLine", default=""),
                            " -decode " in event.deep_get("CommandLine", default=""),
                            " /decode " in event.deep_get("CommandLine", default=""),
                            " /urlcache " in event.deep_get("CommandLine", default=""),
                            " -urlcache " in event.deep_get("CommandLine", default=""),
                            re.match(r"^.* -e.* JAB.*$", event.deep_get("CommandLine", default="")),
                            re.match(
                                r"^.* -e.* SUVYI.*$", event.deep_get("CommandLine", default="")
                            ),
                            re.match(
                                r"^.* -e.* SQBFAFgA.*$", event.deep_get("CommandLine", default="")
                            ),
                            re.match(
                                r"^.* -e.* aWV4I.*$", event.deep_get("CommandLine", default="")
                            ),
                            re.match(r"^.* -e.* IAB.*$", event.deep_get("CommandLine", default="")),
                            re.match(r"^.* -e.* PAA.*$", event.deep_get("CommandLine", default="")),
                            re.match(
                                r"^.* -e.* aQBlAHgA.*$", event.deep_get("CommandLine", default="")
                            ),
                            "vssadmin delete shadows" in event.deep_get("CommandLine", default=""),
                            "reg SAVE HKLM" in event.deep_get("CommandLine", default=""),
                            " -ma " in event.deep_get("CommandLine", default=""),
                            "Microsoft\\Windows\\CurrentVersion\\Run"
                            in event.deep_get("CommandLine", default=""),
                            ".downloadstring(" in event.deep_get("CommandLine", default=""),
                            ".downloadfile(" in event.deep_get("CommandLine", default=""),
                            " /ticket:" in event.deep_get("CommandLine", default=""),
                            "dpapi::" in event.deep_get("CommandLine", default=""),
                            "event::clear" in event.deep_get("CommandLine", default=""),
                            "event::drop" in event.deep_get("CommandLine", default=""),
                            "id::modify" in event.deep_get("CommandLine", default=""),
                            "kerberos::" in event.deep_get("CommandLine", default=""),
                            "lsadump::" in event.deep_get("CommandLine", default=""),
                            "misc::" in event.deep_get("CommandLine", default=""),
                            "privilege::" in event.deep_get("CommandLine", default=""),
                            "rpc::" in event.deep_get("CommandLine", default=""),
                            "sekurlsa::" in event.deep_get("CommandLine", default=""),
                            "sid::" in event.deep_get("CommandLine", default=""),
                            "token::" in event.deep_get("CommandLine", default=""),
                            "vault::cred" in event.deep_get("CommandLine", default=""),
                            "vault::list" in event.deep_get("CommandLine", default=""),
                            " p::d " in event.deep_get("CommandLine", default=""),
                            ";iex(" in event.deep_get("CommandLine", default=""),
                            "MiniDump" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    all(
                        [
                            "ping" in event.deep_get("CommandLine", default=""),
                            "127.0.0.1" in event.deep_get("CommandLine", default=""),
                            " -n " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\PING.EXE"),
                            "\\DismFoDInstall.cmd"
                            in event.deep_get("ParentCommandLine", default=""),
                        ]
                    ),
                    ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\"
                    in event.deep_get("ParentImage", default=""),
                    all(
                        [
                            any(
                                [
                                    ":\\Program Files (x86)\\Java\\"
                                    in event.deep_get("ParentImage", default=""),
                                    ":\\Program Files\\Java\\"
                                    in event.deep_get("ParentImage", default=""),
                                ]
                            ),
                            event.deep_get("ParentImage", default="").endswith("\\bin\\javaws.exe"),
                            any(
                                [
                                    ":\\Program Files (x86)\\Java\\"
                                    in event.deep_get("Image", default=""),
                                    ":\\Program Files\\Java\\"
                                    in event.deep_get("Image", default=""),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("\\bin\\jp2launcher.exe"),
                            " -ma " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
