def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                    event.deep_get("OriginalFileName", default="") == "bitsadmin.exe",
                ]
            ),
            any(
                [
                    " /transfer " in event.deep_get("CommandLine", default=""),
                    " /create " in event.deep_get("CommandLine", default=""),
                    " /addfile " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    ".7z" in event.deep_get("CommandLine", default=""),
                    ".asax" in event.deep_get("CommandLine", default=""),
                    ".ashx" in event.deep_get("CommandLine", default=""),
                    ".asmx" in event.deep_get("CommandLine", default=""),
                    ".asp" in event.deep_get("CommandLine", default=""),
                    ".aspx" in event.deep_get("CommandLine", default=""),
                    ".bat" in event.deep_get("CommandLine", default=""),
                    ".cfm" in event.deep_get("CommandLine", default=""),
                    ".cgi" in event.deep_get("CommandLine", default=""),
                    ".chm" in event.deep_get("CommandLine", default=""),
                    ".cmd" in event.deep_get("CommandLine", default=""),
                    ".dll" in event.deep_get("CommandLine", default=""),
                    ".gif" in event.deep_get("CommandLine", default=""),
                    ".jpeg" in event.deep_get("CommandLine", default=""),
                    ".jpg" in event.deep_get("CommandLine", default=""),
                    ".jsp" in event.deep_get("CommandLine", default=""),
                    ".jspx" in event.deep_get("CommandLine", default=""),
                    ".log" in event.deep_get("CommandLine", default=""),
                    ".png" in event.deep_get("CommandLine", default=""),
                    ".ps1" in event.deep_get("CommandLine", default=""),
                    ".psm1" in event.deep_get("CommandLine", default=""),
                    ".rar" in event.deep_get("CommandLine", default=""),
                    ".scf" in event.deep_get("CommandLine", default=""),
                    ".sct" in event.deep_get("CommandLine", default=""),
                    ".txt" in event.deep_get("CommandLine", default=""),
                    ".vbe" in event.deep_get("CommandLine", default=""),
                    ".vbs" in event.deep_get("CommandLine", default=""),
                    ".war" in event.deep_get("CommandLine", default=""),
                    ".wsf" in event.deep_get("CommandLine", default=""),
                    ".wsh" in event.deep_get("CommandLine", default=""),
                    ".xll" in event.deep_get("CommandLine", default=""),
                    ".zip" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
