def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                    event.deep_get("OriginalFileName", default="") == "bitsadmin.exe",
                ]
            ),
            any(
                [
                    " /transfer " in event.deep_get("CommandLine", default=""),
                    " /create " in event.deep_get("CommandLine", default=""),
                    " /addfile " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    ":\\Perflogs" in event.deep_get("CommandLine", default=""),
                    ":\\ProgramData\\" in event.deep_get("CommandLine", default=""),
                    ":\\Temp\\" in event.deep_get("CommandLine", default=""),
                    ":\\Users\\Public\\" in event.deep_get("CommandLine", default=""),
                    ":\\Windows\\" in event.deep_get("CommandLine", default=""),
                    "\\$Recycle.Bin\\" in event.deep_get("CommandLine", default=""),
                    "\\AppData\\Local\\" in event.deep_get("CommandLine", default=""),
                    "\\AppData\\Roaming\\" in event.deep_get("CommandLine", default=""),
                    "\\Contacts\\" in event.deep_get("CommandLine", default=""),
                    "\\Desktop\\" in event.deep_get("CommandLine", default=""),
                    "\\Favorites\\" in event.deep_get("CommandLine", default=""),
                    "\\Favourites\\" in event.deep_get("CommandLine", default=""),
                    "\\inetpub\\wwwroot\\" in event.deep_get("CommandLine", default=""),
                    "\\Music\\" in event.deep_get("CommandLine", default=""),
                    "\\Pictures\\" in event.deep_get("CommandLine", default=""),
                    "\\Start Menu\\Programs\\Startup\\"
                    in event.deep_get("CommandLine", default=""),
                    "\\Users\\Default\\" in event.deep_get("CommandLine", default=""),
                    "\\Videos\\" in event.deep_get("CommandLine", default=""),
                    "%ProgramData%" in event.deep_get("CommandLine", default=""),
                    "%public%" in event.deep_get("CommandLine", default=""),
                    "%temp%" in event.deep_get("CommandLine", default=""),
                    "%tmp%" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
