def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["PowerShell.EXE", "pwsh.dll"],
                ]
            ),
            " hidden " in event.deep_get("CommandLine", default=""),
            any(
                [
                    "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA"
                    in event.deep_get("CommandLine", default=""),
                    "aXRzYWRtaW4gL3RyYW5zZmVy" in event.deep_get("CommandLine", default=""),
                    "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA"
                    in event.deep_get("CommandLine", default=""),
                    "JpdHNhZG1pbiAvdHJhbnNmZX" in event.deep_get("CommandLine", default=""),
                    "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg"
                    in event.deep_get("CommandLine", default=""),
                    "Yml0c2FkbWluIC90cmFuc2Zlc" in event.deep_get("CommandLine", default=""),
                    "AGMAaAB1AG4AawBfAHMAaQB6AGUA" in event.deep_get("CommandLine", default=""),
                    "JABjAGgAdQBuAGsAXwBzAGkAegBlA" in event.deep_get("CommandLine", default=""),
                    "JGNodW5rX3Npem" in event.deep_get("CommandLine", default=""),
                    "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" in event.deep_get("CommandLine", default=""),
                    "RjaHVua19zaXpl" in event.deep_get("CommandLine", default=""),
                    "Y2h1bmtfc2l6Z" in event.deep_get("CommandLine", default=""),
                    "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A"
                    in event.deep_get("CommandLine", default=""),
                    "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg"
                    in event.deep_get("CommandLine", default=""),
                    "lPLkNvbXByZXNzaW9u" in event.deep_get("CommandLine", default=""),
                    "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA"
                    in event.deep_get("CommandLine", default=""),
                    "SU8uQ29tcHJlc3Npb2" in event.deep_get("CommandLine", default=""),
                    "Ty5Db21wcmVzc2lvb" in event.deep_get("CommandLine", default=""),
                    "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ"
                    in event.deep_get("CommandLine", default=""),
                    "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA"
                    in event.deep_get("CommandLine", default=""),
                    "lPLk1lbW9yeVN0cmVhb" in event.deep_get("CommandLine", default=""),
                    "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A"
                    in event.deep_get("CommandLine", default=""),
                    "SU8uTWVtb3J5U3RyZWFt" in event.deep_get("CommandLine", default=""),
                    "Ty5NZW1vcnlTdHJlYW" in event.deep_get("CommandLine", default=""),
                    "4ARwBlAHQAQwBoAHUAbgBrA" in event.deep_get("CommandLine", default=""),
                    "5HZXRDaHVua" in event.deep_get("CommandLine", default=""),
                    "AEcAZQB0AEMAaAB1AG4Aaw" in event.deep_get("CommandLine", default=""),
                    "LgBHAGUAdABDAGgAdQBuAGsA" in event.deep_get("CommandLine", default=""),
                    "LkdldENodW5r" in event.deep_get("CommandLine", default=""),
                    "R2V0Q2h1bm" in event.deep_get("CommandLine", default=""),
                    "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A"
                    in event.deep_get("CommandLine", default=""),
                    "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA"
                    in event.deep_get("CommandLine", default=""),
                    "RIUkVBRF9JTkZPNj" in event.deep_get("CommandLine", default=""),
                    "SFJFQURfSU5GTzY0" in event.deep_get("CommandLine", default=""),
                    "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA"
                    in event.deep_get("CommandLine", default=""),
                    "VEhSRUFEX0lORk82N" in event.deep_get("CommandLine", default=""),
                    "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA"
                    in event.deep_get("CommandLine", default=""),
                    "cmVhdGVSZW1vdGVUaHJlYW" in event.deep_get("CommandLine", default=""),
                    "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA"
                    in event.deep_get("CommandLine", default=""),
                    "NyZWF0ZVJlbW90ZVRocmVhZ" in event.deep_get("CommandLine", default=""),
                    "Q3JlYXRlUmVtb3RlVGhyZWFk" in event.deep_get("CommandLine", default=""),
                    "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA"
                    in event.deep_get("CommandLine", default=""),
                    "0AZQBtAG0AbwB2AGUA" in event.deep_get("CommandLine", default=""),
                    "1lbW1vdm" in event.deep_get("CommandLine", default=""),
                    "AGUAbQBtAG8AdgBlA" in event.deep_get("CommandLine", default=""),
                    "bQBlAG0AbQBvAHYAZQ" in event.deep_get("CommandLine", default=""),
                    "bWVtbW92Z" in event.deep_get("CommandLine", default=""),
                    "ZW1tb3Zl" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
