def rule(event):
    if all(
        [
            "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"
            in event.deep_get("TargetObject", default=""),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    "powershell" in event.deep_get("Details", default=""),
                                    "pwsh" in event.deep_get("Details", default=""),
                                ]
                            ),
                            any(
                                [
                                    " -e " in event.deep_get("Details", default=""),
                                    " -ec " in event.deep_get("Details", default=""),
                                    " -en " in event.deep_get("Details", default=""),
                                    " -enc " in event.deep_get("Details", default=""),
                                    " -enco" in event.deep_get("Details", default=""),
                                    "ftp" in event.deep_get("Details", default=""),
                                    "Hidden" in event.deep_get("Details", default=""),
                                    "http" in event.deep_get("Details", default=""),
                                    "iex" in event.deep_get("Details", default=""),
                                    "Invoke-" in event.deep_get("Details", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "wmic" in event.deep_get("Details", default=""),
                            any(
                                [
                                    "shadowcopy" in event.deep_get("Details", default=""),
                                    "process call create" in event.deep_get("Details", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
