def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\iodine.exe"),
            "\\dnscat2" in event.deep_get("Image", default=""),
        ]
    ):
        return True
    return False
