def rule(event):
    if all(
        [
            ":\\Users\\Public\\" in event.deep_get("ParentImage", default=""),
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                            event.deep_get("Image", default="").endswith("\\certutil.exe"),
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\mshta.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                            event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                            event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                        ]
                    ),
                    any(
                        [
                            "bitsadmin" in event.deep_get("CommandLine", default=""),
                            "certutil" in event.deep_get("CommandLine", default=""),
                            "cscript" in event.deep_get("CommandLine", default=""),
                            "mshta" in event.deep_get("CommandLine", default=""),
                            "powershell" in event.deep_get("CommandLine", default=""),
                            "regsvr32" in event.deep_get("CommandLine", default=""),
                            "rundll32" in event.deep_get("CommandLine", default=""),
                            "wscript" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
