def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\policydefinitions\\postgresql.exe"),
            any(
                [
                    any(
                        [
                            "CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp"
                            in event.deep_get("CommandLine", default=""),
                            " 1> \\\\127.0.0.1\\ADMIN$\\__16"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "powershell -c " in event.deep_get("CommandLine", default=""),
                            "\\comsvcs.dll MiniDump " in event.deep_get("CommandLine", default=""),
                            "\\winupd.log full" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
