def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            "domainlist" in event.deep_get("CommandLine", default=""),
                            "trustdmp" in event.deep_get("CommandLine", default=""),
                            "dcmodes" in event.deep_get("CommandLine", default=""),
                            "adinfo" in event.deep_get("CommandLine", default=""),
                            " dclist " in event.deep_get("CommandLine", default=""),
                            "computer_pwdnotreqd" in event.deep_get("CommandLine", default=""),
                            "objectcategory=" in event.deep_get("CommandLine", default=""),
                            "-subnets -f" in event.deep_get("CommandLine", default=""),
                            'name="Domain Admins"' in event.deep_get("CommandLine", default=""),
                            "-sc u:" in event.deep_get("CommandLine", default=""),
                            "domainncs" in event.deep_get("CommandLine", default=""),
                            "dompol" in event.deep_get("CommandLine", default=""),
                            " oudmp " in event.deep_get("CommandLine", default=""),
                            "subnetdmp" in event.deep_get("CommandLine", default=""),
                            "gpodmp" in event.deep_get("CommandLine", default=""),
                            "fspdmp" in event.deep_get("CommandLine", default=""),
                            "users_noexpire" in event.deep_get("CommandLine", default=""),
                            "computers_active" in event.deep_get("CommandLine", default=""),
                            "computers_pwdnotreqd" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "IMPHASH=BCA5675746D13A1F246E2DA3C2217492"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=53E117A96057EAF19C41380D0E87F1C2"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=d144de8117df2beceaba2201ad304764"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=12ce1c0f3f5837ecc18a3782408fa975"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=4fbf3f084fbbb2470b80b2013134df35"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=49b639b4acbecc49d72a01f357aa4930"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=680dad9e300346e05a85023965867201"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=21aa085d54992511b9f115355e468782"
                            in event.deep_get("Hashes", default=""),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="") == "AdFind.exe",
                ]
            ),
            not event.deep_get("Image", default="").endswith("\\AdFind.exe"),
        ]
    ):
        return True
    return False
