def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                ]
            ),
            any(
                [
                    " -windowstyle h " in event.deep_get("CommandLine", default=""),
                    " -windowstyl h" in event.deep_get("CommandLine", default=""),
                    " -windowsty h" in event.deep_get("CommandLine", default=""),
                    " -windowst h" in event.deep_get("CommandLine", default=""),
                    " -windows h" in event.deep_get("CommandLine", default=""),
                    " -windo h" in event.deep_get("CommandLine", default=""),
                    " -wind h" in event.deep_get("CommandLine", default=""),
                    " -win h" in event.deep_get("CommandLine", default=""),
                    " -wi h" in event.deep_get("CommandLine", default=""),
                    " -win h " in event.deep_get("CommandLine", default=""),
                    " -win hi " in event.deep_get("CommandLine", default=""),
                    " -win hid " in event.deep_get("CommandLine", default=""),
                    " -win hidd " in event.deep_get("CommandLine", default=""),
                    " -win hidde " in event.deep_get("CommandLine", default=""),
                    " -NoPr " in event.deep_get("CommandLine", default=""),
                    " -NoPro " in event.deep_get("CommandLine", default=""),
                    " -NoProf " in event.deep_get("CommandLine", default=""),
                    " -NoProfi " in event.deep_get("CommandLine", default=""),
                    " -NoProfil " in event.deep_get("CommandLine", default=""),
                    " -nonin " in event.deep_get("CommandLine", default=""),
                    " -nonint " in event.deep_get("CommandLine", default=""),
                    " -noninte " in event.deep_get("CommandLine", default=""),
                    " -noninter " in event.deep_get("CommandLine", default=""),
                    " -nonintera " in event.deep_get("CommandLine", default=""),
                    " -noninterac " in event.deep_get("CommandLine", default=""),
                    " -noninteract " in event.deep_get("CommandLine", default=""),
                    " -noninteracti " in event.deep_get("CommandLine", default=""),
                    " -noninteractiv " in event.deep_get("CommandLine", default=""),
                    " -ec " in event.deep_get("CommandLine", default=""),
                    " -encodedComman " in event.deep_get("CommandLine", default=""),
                    " -encodedComma " in event.deep_get("CommandLine", default=""),
                    " -encodedComm " in event.deep_get("CommandLine", default=""),
                    " -encodedCom " in event.deep_get("CommandLine", default=""),
                    " -encodedCo " in event.deep_get("CommandLine", default=""),
                    " -encodedC " in event.deep_get("CommandLine", default=""),
                    " -encoded " in event.deep_get("CommandLine", default=""),
                    " -encode " in event.deep_get("CommandLine", default=""),
                    " -encod " in event.deep_get("CommandLine", default=""),
                    " -enco " in event.deep_get("CommandLine", default=""),
                    " -en " in event.deep_get("CommandLine", default=""),
                    " -executionpolic " in event.deep_get("CommandLine", default=""),
                    " -executionpoli " in event.deep_get("CommandLine", default=""),
                    " -executionpol " in event.deep_get("CommandLine", default=""),
                    " -executionpo " in event.deep_get("CommandLine", default=""),
                    " -executionp " in event.deep_get("CommandLine", default=""),
                    " -execution bypass" in event.deep_get("CommandLine", default=""),
                    " -executio bypass" in event.deep_get("CommandLine", default=""),
                    " -executi bypass" in event.deep_get("CommandLine", default=""),
                    " -execut bypass" in event.deep_get("CommandLine", default=""),
                    " -execu bypass" in event.deep_get("CommandLine", default=""),
                    " -exec bypass" in event.deep_get("CommandLine", default=""),
                    " -exe bypass" in event.deep_get("CommandLine", default=""),
                    " -ex bypass" in event.deep_get("CommandLine", default=""),
                    " -ep bypass" in event.deep_get("CommandLine", default=""),
                    " /windowstyle h " in event.deep_get("CommandLine", default=""),
                    " /windowstyl h" in event.deep_get("CommandLine", default=""),
                    " /windowsty h" in event.deep_get("CommandLine", default=""),
                    " /windowst h" in event.deep_get("CommandLine", default=""),
                    " /windows h" in event.deep_get("CommandLine", default=""),
                    " /windo h" in event.deep_get("CommandLine", default=""),
                    " /wind h" in event.deep_get("CommandLine", default=""),
                    " /win h" in event.deep_get("CommandLine", default=""),
                    " /wi h" in event.deep_get("CommandLine", default=""),
                    " /win h " in event.deep_get("CommandLine", default=""),
                    " /win hi " in event.deep_get("CommandLine", default=""),
                    " /win hid " in event.deep_get("CommandLine", default=""),
                    " /win hidd " in event.deep_get("CommandLine", default=""),
                    " /win hidde " in event.deep_get("CommandLine", default=""),
                    " /NoPr " in event.deep_get("CommandLine", default=""),
                    " /NoPro " in event.deep_get("CommandLine", default=""),
                    " /NoProf " in event.deep_get("CommandLine", default=""),
                    " /NoProfi " in event.deep_get("CommandLine", default=""),
                    " /NoProfil " in event.deep_get("CommandLine", default=""),
                    " /nonin " in event.deep_get("CommandLine", default=""),
                    " /nonint " in event.deep_get("CommandLine", default=""),
                    " /noninte " in event.deep_get("CommandLine", default=""),
                    " /noninter " in event.deep_get("CommandLine", default=""),
                    " /nonintera " in event.deep_get("CommandLine", default=""),
                    " /noninterac " in event.deep_get("CommandLine", default=""),
                    " /noninteract " in event.deep_get("CommandLine", default=""),
                    " /noninteracti " in event.deep_get("CommandLine", default=""),
                    " /noninteractiv " in event.deep_get("CommandLine", default=""),
                    " /ec " in event.deep_get("CommandLine", default=""),
                    " /encodedComman " in event.deep_get("CommandLine", default=""),
                    " /encodedComma " in event.deep_get("CommandLine", default=""),
                    " /encodedComm " in event.deep_get("CommandLine", default=""),
                    " /encodedCom " in event.deep_get("CommandLine", default=""),
                    " /encodedCo " in event.deep_get("CommandLine", default=""),
                    " /encodedC " in event.deep_get("CommandLine", default=""),
                    " /encoded " in event.deep_get("CommandLine", default=""),
                    " /encode " in event.deep_get("CommandLine", default=""),
                    " /encod " in event.deep_get("CommandLine", default=""),
                    " /enco " in event.deep_get("CommandLine", default=""),
                    " /en " in event.deep_get("CommandLine", default=""),
                    " /executionpolic " in event.deep_get("CommandLine", default=""),
                    " /executionpoli " in event.deep_get("CommandLine", default=""),
                    " /executionpol " in event.deep_get("CommandLine", default=""),
                    " /executionpo " in event.deep_get("CommandLine", default=""),
                    " /executionp " in event.deep_get("CommandLine", default=""),
                    " /execution bypass" in event.deep_get("CommandLine", default=""),
                    " /executio bypass" in event.deep_get("CommandLine", default=""),
                    " /executi bypass" in event.deep_get("CommandLine", default=""),
                    " /execut bypass" in event.deep_get("CommandLine", default=""),
                    " /execu bypass" in event.deep_get("CommandLine", default=""),
                    " /exec bypass" in event.deep_get("CommandLine", default=""),
                    " /exe bypass" in event.deep_get("CommandLine", default=""),
                    " /ex bypass" in event.deep_get("CommandLine", default=""),
                    " /ep bypass" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
