def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\crushftp.exe"),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell_ise.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                                ]
                            ),
                            "IEX" in event.deep_get("CommandLine", default=""),
                            "enc" in event.deep_get("CommandLine", default=""),
                            "Hidden" in event.deep_get("CommandLine", default=""),
                            "bypass" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                            any(
                                [
                                    "/c powershell" in event.deep_get("CommandLine", default=""),
                                    "whoami" in event.deep_get("CommandLine", default=""),
                                    "net.exe" in event.deep_get("CommandLine", default=""),
                                    "net1.exe" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                            event.deep_get("Image", default="").endswith("\\certutil.exe"),
                            event.deep_get("Image", default="").endswith("\\mshta.exe"),
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
