def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\schtasks.exe"),
            "/Create " in event.deep_get("CommandLine", default=""),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    "/sc minute " in event.deep_get("CommandLine", default=""),
                                    "/ru system " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "cmd /c" in event.deep_get("CommandLine", default=""),
                                    "cmd /k" in event.deep_get("CommandLine", default=""),
                                    "cmd /r" in event.deep_get("CommandLine", default=""),
                                    "cmd.exe /c " in event.deep_get("CommandLine", default=""),
                                    "cmd.exe /k " in event.deep_get("CommandLine", default=""),
                                    "cmd.exe /r " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            " -decode " in event.deep_get("CommandLine", default=""),
                            " -enc " in event.deep_get("CommandLine", default=""),
                            " -w hidden " in event.deep_get("CommandLine", default=""),
                            " bypass " in event.deep_get("CommandLine", default=""),
                            " IEX" in event.deep_get("CommandLine", default=""),
                            ".DownloadData" in event.deep_get("CommandLine", default=""),
                            ".DownloadFile" in event.deep_get("CommandLine", default=""),
                            ".DownloadString" in event.deep_get("CommandLine", default=""),
                            "/c start /min " in event.deep_get("CommandLine", default=""),
                            "FromBase64String" in event.deep_get("CommandLine", default=""),
                            "mshta http" in event.deep_get("CommandLine", default=""),
                            "mshta.exe http" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    ":\\ProgramData\\" in event.deep_get("CommandLine", default=""),
                                    ":\\Temp\\" in event.deep_get("CommandLine", default=""),
                                    ":\\Tmp\\" in event.deep_get("CommandLine", default=""),
                                    ":\\Users\\Public\\"
                                    in event.deep_get("CommandLine", default=""),
                                    ":\\Windows\\Temp\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "\\AppData\\" in event.deep_get("CommandLine", default=""),
                                    "%AppData%" in event.deep_get("CommandLine", default=""),
                                    "%Temp%" in event.deep_get("CommandLine", default=""),
                                    "%tmp%" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "cscript" in event.deep_get("CommandLine", default=""),
                                    "curl" in event.deep_get("CommandLine", default=""),
                                    "wscript" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
