def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\mshta.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                        ]
                    ),
                    any(
                        [
                            " -ep bypass " in event.deep_get("CommandLine", default=""),
                            " -ExecutionPolicy bypass "
                            in event.deep_get("CommandLine", default=""),
                            " -w hidden " in event.deep_get("CommandLine", default=""),
                            "/e:javascript " in event.deep_get("CommandLine", default=""),
                            "/e:Jscript " in event.deep_get("CommandLine", default=""),
                            "/e:vbscript " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["cscript.exe", "mshta.exe", "wscript.exe"],
                ]
            ),
            any(
                [
                    any(
                        [
                            ":\\Perflogs\\" in event.deep_get("CommandLine", default=""),
                            ":\\Users\\Public\\" in event.deep_get("CommandLine", default=""),
                            "\\%Public%" in event.deep_get("CommandLine", default=""),
                            "\\AppData\\Local\\Temp" in event.deep_get("CommandLine", default=""),
                            "\\AppData\\Roaming\\Temp" in event.deep_get("CommandLine", default=""),
                            "\\Temporary Internet" in event.deep_get("CommandLine", default=""),
                            "\\Windows\\Temp" in event.deep_get("CommandLine", default=""),
                            "\\Start Menu\\Programs\\Startup\\"
                            in event.deep_get("CommandLine", default=""),
                            "%TEMP%" in event.deep_get("CommandLine", default=""),
                            "%TMP%" in event.deep_get("CommandLine", default=""),
                            "%LocalAppData%\\Temp" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Favorites\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Favourites\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Contacts\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Documents\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Music\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Pictures\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\Users\\" in event.deep_get("CommandLine", default=""),
                                    "\\Videos\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not all(
                [
                    event.deep_get("ParentImage", default="")
                    in ["C:\\Windows\\System32\\Msiexec.exe", "C:\\Windows\\SysWOW64\\Msiexec.exe"],
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    "-NoProfile -ExecutionPolicy Bypass -Command"
                    in event.deep_get("CommandLine", default=""),
                    "AppData\\Local\\Temp\\" in event.deep_get("CommandLine", default=""),
                    "Install-Chocolatey.ps1" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
