def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("OriginalFileName", default="") == "winPEAS.exe",
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\winPEASany_ofs.exe"),
                            event.deep_get("Image", default="").endswith("\\winPEASany.exe"),
                            event.deep_get("Image", default="").endswith("\\winPEASx64_ofs.exe"),
                            event.deep_get("Image", default="").endswith("\\winPEASx64.exe"),
                            event.deep_get("Image", default="").endswith("\\winPEASx86_ofs.exe"),
                            event.deep_get("Image", default="").endswith("\\winPEASx86.exe"),
                        ]
                    ),
                ]
            ),
            any(
                [
                    " applicationsinfo" in event.deep_get("CommandLine", default=""),
                    " browserinfo" in event.deep_get("CommandLine", default=""),
                    " eventsinfo" in event.deep_get("CommandLine", default=""),
                    " fileanalysis" in event.deep_get("CommandLine", default=""),
                    " filesinfo" in event.deep_get("CommandLine", default=""),
                    " processinfo" in event.deep_get("CommandLine", default=""),
                    " servicesinfo" in event.deep_get("CommandLine", default=""),
                    " windowscreds" in event.deep_get("CommandLine", default=""),
                ]
            ),
            "https://github.com/carlospolop/PEASS-ng/releases/latest/download/"
            in event.deep_get("CommandLine", default=""),
            any(
                [
                    event.deep_get("ParentCommandLine", default="").endswith(" -linpeas"),
                    event.deep_get("CommandLine", default="").endswith(" -linpeas"),
                ]
            ),
        ]
    ):
        return True
    return False
