def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            "-nop" in event.deep_get("ContextInfo", default=""),
                            " -w " in event.deep_get("ContextInfo", default=""),
                            "hidden" in event.deep_get("ContextInfo", default=""),
                            " -c " in event.deep_get("ContextInfo", default=""),
                            "[Convert]::FromBase64String"
                            in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                    all(
                        [
                            " -w " in event.deep_get("ContextInfo", default=""),
                            "hidden" in event.deep_get("ContextInfo", default=""),
                            "-noni" in event.deep_get("ContextInfo", default=""),
                            "-nop" in event.deep_get("ContextInfo", default=""),
                            " -c " in event.deep_get("ContextInfo", default=""),
                            "iex" in event.deep_get("ContextInfo", default=""),
                            "New-Object" in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                    all(
                        [
                            " -w " in event.deep_get("ContextInfo", default=""),
                            "hidden" in event.deep_get("ContextInfo", default=""),
                            "-ep" in event.deep_get("ContextInfo", default=""),
                            "bypass" in event.deep_get("ContextInfo", default=""),
                            "-Enc" in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                    all(
                        [
                            "powershell" in event.deep_get("ContextInfo", default=""),
                            "reg" in event.deep_get("ContextInfo", default=""),
                            "add" in event.deep_get("ContextInfo", default=""),
                            any(
                                [
                                    "\\software\\microsoft\\windows\\currentversion\\run"
                                    in event.deep_get("ContextInfo", default=""),
                                    "\\software\\wow6432node\\microsoft\\windows\\currentversion\\run"
                                    in event.deep_get("ContextInfo", default=""),
                                    "\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run"
                                    in event.deep_get("ContextInfo", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "bypass" in event.deep_get("ContextInfo", default=""),
                            "-noprofile" in event.deep_get("ContextInfo", default=""),
                            "-windowstyle" in event.deep_get("ContextInfo", default=""),
                            "hidden" in event.deep_get("ContextInfo", default=""),
                            "new-object" in event.deep_get("ContextInfo", default=""),
                            "system.net.webclient" in event.deep_get("ContextInfo", default=""),
                            ".download" in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                    all(
                        [
                            "iex" in event.deep_get("ContextInfo", default=""),
                            "New-Object" in event.deep_get("ContextInfo", default=""),
                            "Net.WebClient" in event.deep_get("ContextInfo", default=""),
                            ".Download" in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
                    in event.deep_get("ContextInfo", default=""),
                    "Write-ChocolateyWarning" in event.deep_get("ContextInfo", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
