def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("CommandLine", default="").endswith("cmd.exe /C whoami"),
                    event.deep_get("ParentImage", default="").startswith("C:\\Temp\\"),
                ]
            ),
            all(
                [
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\runonce.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\dllhost.exe"),
                        ]
                    ),
                    "cmd.exe /c echo" in event.deep_get("CommandLine", default=""),
                    "> \\\\.\\pipe" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "cmd.exe /C echo" in event.deep_get("ParentCommandLine", default=""),
                    " > \\\\.\\pipe" in event.deep_get("ParentCommandLine", default=""),
                    event.deep_get("CommandLine", default="").endswith(
                        "conhost.exe 0xffffffff -ForceV1"
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("ParentCommandLine", default="").endswith("/C whoami"),
                    event.deep_get("CommandLine", default="").endswith(
                        "conhost.exe 0xffffffff -ForceV1"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
