def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\w3wp.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\php-cgi.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\nginx.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\httpd.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\caddy.exe"),
                            event.deep_get("ParentImage", default="").endswith(
                                "\\ws_tomcatservice.exe"
                            ),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\java.exe"
                                    ),
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\javaw.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    "-tomcat-" in event.deep_get("ParentImage", default=""),
                                    "\\tomcat" in event.deep_get("ParentImage", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\java.exe"
                                    ),
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\javaw.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    "catalina.jar" in event.deep_get("CommandLine", default=""),
                                    "CATALINA_HOME" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    all(
                        [
                            event.deep_get("OriginalFileName", default="")
                            in ["net.exe", "net1.exe"],
                            any(
                                [
                                    " user " in event.deep_get("CommandLine", default=""),
                                    " use " in event.deep_get("CommandLine", default=""),
                                    " group " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("OriginalFileName", default="") == "ping.exe",
                            " -n " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "&cd&echo" in event.deep_get("CommandLine", default=""),
                            "cd /d " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("OriginalFileName", default="") == "wmic.exe",
                            " /node:" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                                ]
                            ),
                            any(
                                [
                                    " -enc " in event.deep_get("CommandLine", default=""),
                                    " -EncodedCommand "
                                    in event.deep_get("CommandLine", default=""),
                                    " -w hidden " in event.deep_get("CommandLine", default=""),
                                    " -windowstyle hidden"
                                    in event.deep_get("CommandLine", default=""),
                                    ".WebClient).Download"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\dsquery.exe"),
                                    event.deep_get("Image", default="").endswith("\\find.exe"),
                                    event.deep_get("Image", default="").endswith("\\findstr.exe"),
                                    event.deep_get("Image", default="").endswith("\\ipconfig.exe"),
                                    event.deep_get("Image", default="").endswith("\\netstat.exe"),
                                    event.deep_get("Image", default="").endswith("\\nslookup.exe"),
                                    event.deep_get("Image", default="").endswith("\\pathping.exe"),
                                    event.deep_get("Image", default="").endswith("\\quser.exe"),
                                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                                    event.deep_get("Image", default="").endswith(
                                        "\\systeminfo.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith("\\tasklist.exe"),
                                    event.deep_get("Image", default="").endswith("\\tracert.exe"),
                                    event.deep_get("Image", default="").endswith("\\ver.exe"),
                                    event.deep_get("Image", default="").endswith("\\wevtutil.exe"),
                                    event.deep_get("Image", default="").endswith("\\whoami.exe"),
                                ]
                            ),
                            event.deep_get("OriginalFileName", default="")
                            in [
                                "dsquery.exe",
                                "find.exe",
                                "findstr.exe",
                                "ipconfig.exe",
                                "netstat.exe",
                                "nslookup.exe",
                                "pathping.exe",
                                "quser.exe",
                                "schtasks.exe",
                                "sysinfo.exe",
                                "tasklist.exe",
                                "tracert.exe",
                                "ver.exe",
                                "VSSADMIN.EXE",
                                "wevtutil.exe",
                                "whoami.exe",
                            ],
                        ]
                    ),
                    any(
                        [
                            " Test-NetConnection " in event.deep_get("CommandLine", default=""),
                            "dir \\" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
