def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("Image", default="").startswith("C:\\Users\\Public\\"),
                    " -single " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "del C:\\Windows\\System32\\Taskmgr.exe"
                    in event.deep_get("CommandLine", default=""),
                    ";Set-Service -StartupType Disabled $"
                    in event.deep_get("CommandLine", default=""),
                    'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
                    in event.deep_get("CommandLine", default=""),
                    " do start wordpad.exe /p " in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
