def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Description", default="") == "Execute processes remotely",
                    event.deep_get("Product", default="") == "Sysinternals PsExec",
                    any(
                        [
                            event.deep_get("Description", default="").startswith(
                                "Windows PowerShell"
                            ),
                            event.deep_get("Description", default="").startswith("pwsh"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in [
                        "certutil.exe",
                        "cmstp.exe",
                        "cscript.exe",
                        "IE4UINIT.EXE",
                        "finger.exe",
                        "mshta.exe",
                        "msiexec.exe",
                        "msxsl.exe",
                        "powershell_ise.exe",
                        "powershell.exe",
                        "psexec.c",
                        "psexec.exe",
                        "psexesvc.exe",
                        "pwsh.dll",
                        "reg.exe",
                        "regsvr32.exe",
                        "rundll32.exe",
                        "WerMgr",
                        "wmic.exe",
                        "wscript.exe",
                    ],
                ]
            ),
            not any(
                [
                    event.deep_get("Image", default="").endswith("\\certutil.exe"),
                    event.deep_get("Image", default="").endswith("\\cmstp.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                    event.deep_get("Image", default="").endswith("\\ie4uinit.exe"),
                    event.deep_get("Image", default="").endswith("\\finger.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                    event.deep_get("Image", default="").endswith("\\msiexec.exe"),
                    event.deep_get("Image", default="").endswith("\\msxsl.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\psexec.exe"),
                    event.deep_get("Image", default="").endswith("\\psexec64.exe"),
                    event.deep_get("Image", default="").endswith("\\PSEXESVC.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\reg.exe"),
                    event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    event.deep_get("Image", default="").endswith("\\wermgr.exe"),
                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
