import re


def rule(event):
    if any(
        [
            re.match(
                r"^.*cmd.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1.*$",
                event.deep_get("CommandLine", default=""),
            ),
            re.match(
                r"^.*cmd.exe /C .* > \\\\.*\\.*\\.* 2>&1.*$",
                event.deep_get("CommandLine", default=""),
            ),
            re.match(
                r"^.*cmd.exe /C .* > .*\\Temp\\.* 2>&1.*$",
                event.deep_get("CommandLine", default=""),
            ),
            'powershell.exe -exec bypass -noni -nop -w 1 -C "'
            in event.deep_get("CommandLine", default=""),
            "powershell.exe -noni -nop -w 1 -enc " in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
