def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["PowerShell.EXE", "pwsh.dll"],
                ]
            ),
            any(
                [
                    "TgBlAFQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AdwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgB3AGUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AdwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAHcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgB3AGUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAHcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgB3AGUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AdwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAHcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgB3AGUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAHcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgB3AGUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AdwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAHcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AVwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AVwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AVwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgBXAGUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AVwBlAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAFcAZQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AdwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AdwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AdwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AdwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAFQALgB3AEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAVAAuAHcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AVwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AVwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AVwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AVwBFAGIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "TgBFAFQALgBXAEUAYg" in event.deep_get("CommandLine", default=""),
                    "OAEUAVAAuAFcARQBiA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AdwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AdwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AdwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AdwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAFQALgB3AGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAVAAuAHcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AVwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AVwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AVwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AVwBlAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAFQALgBXAGUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAVAAuAFcAZQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAHQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AdwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAdAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AdwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AdwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAFQALgB3AEUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAVAAuAHcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAHQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQB0AC4AVwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "OAGUAdAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAHQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQB0AC4AVwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAdAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBFAHQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "OAEUAdAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBlAFQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "4AZQBUAC4AVwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAGUAVAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                    "TgBlAFQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "OAGUAVAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                    "bgBFAFQALgBXAEUAQg" in event.deep_get("CommandLine", default=""),
                    "4ARQBUAC4AVwBFAEIA" in event.deep_get("CommandLine", default=""),
                    "uAEUAVAAuAFcARQBCA" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
