def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("/nc"),
                    event.deep_get("Image", default="").endswith("/ncat"),
                ]
            ),
            any(
                [
                    " -c " in event.deep_get("CommandLine", default=""),
                    " -e " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    " ash" in event.deep_get("CommandLine", default=""),
                    " bash" in event.deep_get("CommandLine", default=""),
                    " bsh" in event.deep_get("CommandLine", default=""),
                    " csh" in event.deep_get("CommandLine", default=""),
                    " ksh" in event.deep_get("CommandLine", default=""),
                    " pdksh" in event.deep_get("CommandLine", default=""),
                    " sh" in event.deep_get("CommandLine", default=""),
                    " tcsh" in event.deep_get("CommandLine", default=""),
                    "/bin/ash" in event.deep_get("CommandLine", default=""),
                    "/bin/bash" in event.deep_get("CommandLine", default=""),
                    "/bin/bsh" in event.deep_get("CommandLine", default=""),
                    "/bin/csh" in event.deep_get("CommandLine", default=""),
                    "/bin/ksh" in event.deep_get("CommandLine", default=""),
                    "/bin/pdksh" in event.deep_get("CommandLine", default=""),
                    "/bin/sh" in event.deep_get("CommandLine", default=""),
                    "/bin/tcsh" in event.deep_get("CommandLine", default=""),
                    "/bin/zsh" in event.deep_get("CommandLine", default=""),
                    "$IFSash" in event.deep_get("CommandLine", default=""),
                    "$IFSbash" in event.deep_get("CommandLine", default=""),
                    "$IFSbsh" in event.deep_get("CommandLine", default=""),
                    "$IFScsh" in event.deep_get("CommandLine", default=""),
                    "$IFSksh" in event.deep_get("CommandLine", default=""),
                    "$IFSpdksh" in event.deep_get("CommandLine", default=""),
                    "$IFSsh" in event.deep_get("CommandLine", default=""),
                    "$IFStcsh" in event.deep_get("CommandLine", default=""),
                    "$IFSzsh" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
