def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ParentImage", default="").endswith("\\mshta.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\powershell.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\pwsh.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\rundll32.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\cscript.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wscript.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wmiprvse.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\regsvr32.exe"),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    event.deep_get("Image", default="").endswith("\\nslookup.exe"),
                    event.deep_get("Image", default="").endswith("\\certutil.exe"),
                    event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                ]
            ),
            not any(
                [
                    "\\ccmcache\\" in event.deep_get("CurrentDirectory", default=""),
                    any(
                        [
                            "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\setup-scheduledtask.ps1"
                            in event.deep_get("ParentCommandLine", default=""),
                            "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\set-selfhealing.ps1"
                            in event.deep_get("ParentCommandLine", default=""),
                            "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\check-workspacehealth.ps1"
                            in event.deep_get("ParentCommandLine", default=""),
                            "\\nessus_" in event.deep_get("ParentCommandLine", default=""),
                        ]
                    ),
                    "\\nessus_" in event.deep_get("CommandLine", default=""),
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\mshta.exe"),
                            event.deep_get("Image", default="").endswith("\\mshta.exe"),
                            "C:\\MEM_Configmgr_" in event.deep_get("ParentCommandLine", default=""),
                            "\\splash.hta" in event.deep_get("ParentCommandLine", default=""),
                            "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}"
                            in event.deep_get("ParentCommandLine", default=""),
                            "C:\\MEM_Configmgr_" in event.deep_get("CommandLine", default=""),
                            "\\SMSSETUP\\BIN\\" in event.deep_get("CommandLine", default=""),
                            "\\autorun.hta" in event.deep_get("CommandLine", default=""),
                            "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
