def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ParentImage", default="").endswith("\\WINWORD.EXE"),
                    event.deep_get("ParentImage", default="").endswith("\\EXCEL.EXE"),
                    event.deep_get("ParentImage", default="").endswith("\\POWERPNT.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\MSPUB.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\VISIO.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\MSACCESS.EXE"),
                    event.deep_get("ParentImage", default="").endswith("\\EQNEDT32.EXE"),
                    event.deep_get("ParentImage", default="").endswith("\\ONENOTE.EXE"),
                    event.deep_get("ParentImage", default="").endswith("\\wordpad.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wordview.exe"),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("\\wbem\\WMIC.exe"),
                    event.deep_get("OriginalFileName", default="") == "wmic.exe",
                ]
            ),
            "process" in event.deep_get("CommandLine", default=""),
            "create" in event.deep_get("CommandLine", default=""),
            "call" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "regsvr32" in event.deep_get("CommandLine", default=""),
                    "rundll32" in event.deep_get("CommandLine", default=""),
                    "msiexec" in event.deep_get("CommandLine", default=""),
                    "mshta" in event.deep_get("CommandLine", default=""),
                    "verclsid" in event.deep_get("CommandLine", default=""),
                    "wscript" in event.deep_get("CommandLine", default=""),
                    "cscript" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
