import re


def rule(event):
    if any(
        [
            "checkadmin.exe 127.0.0.1 -all" in event.deep_get("CommandLine", default=""),
            "netsh advfirewall firewall add rule name=powershell dir=in"
            in event.deep_get("CommandLine", default=""),
            "cmd /c powershell.exe -ep bypass -file c:\\s.ps1"
            in event.deep_get("CommandLine", default=""),
            "/tn win32times /f" in event.deep_get("CommandLine", default=""),
            "create win32times binPath=" in event.deep_get("CommandLine", default=""),
            "\\c$\\windows\\system32\\devmgr.dll" in event.deep_get("CommandLine", default=""),
            " -exec bypass -enc JgAg" in event.deep_get("CommandLine", default=""),
            re.match(
                r"^.*type .*keepass\\KeePass.config.xml.*$",
                event.deep_get("CommandLine", default=""),
            ),
            "iie.exe iie.txt" in event.deep_get("CommandLine", default=""),
            re.match(
                r"^.*reg query HKEY_CURRENT_USER\\Software\\.*\\PuTTY\\Sessions\\.*$",
                event.deep_get("CommandLine", default=""),
            ),
        ]
    ):
        return True
    return False
