def rule(event):
    if any(
        [
            "domainlist" in event.deep_get("CommandLine", default=""),
            "trustdmp" in event.deep_get("CommandLine", default=""),
            "dcmodes" in event.deep_get("CommandLine", default=""),
            "adinfo" in event.deep_get("CommandLine", default=""),
            "-sc dclist" in event.deep_get("CommandLine", default=""),
            "computer_pwdnotreqd" in event.deep_get("CommandLine", default=""),
            "objectcategory=" in event.deep_get("CommandLine", default=""),
            "-subnets -f" in event.deep_get("CommandLine", default=""),
            'name="Domain Admins"' in event.deep_get("CommandLine", default=""),
            "-sc u:" in event.deep_get("CommandLine", default=""),
            "domainncs" in event.deep_get("CommandLine", default=""),
            "dompol" in event.deep_get("CommandLine", default=""),
            " oudmp " in event.deep_get("CommandLine", default=""),
            "subnetdmp" in event.deep_get("CommandLine", default=""),
            "gpodmp" in event.deep_get("CommandLine", default=""),
            "fspdmp" in event.deep_get("CommandLine", default=""),
            "users_noexpire" in event.deep_get("CommandLine", default=""),
            "computers_active" in event.deep_get("CommandLine", default=""),
            "computers_pwdnotreqd" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
