def rule(event):
    if any(
        [
            any(
                [
                    any(
                        [
                            "\\CVE-202" in event.deep_get("Image", default=""),
                            "\\CVE202" in event.deep_get("Image", default=""),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\poc.exe"),
                            event.deep_get("Image", default="").endswith("\\artifact.exe"),
                            event.deep_get("Image", default="").endswith("\\artifact64.exe"),
                            event.deep_get("Image", default="").endswith(
                                "\\artifact_protected.exe"
                            ),
                            event.deep_get("Image", default="").endswith("\\artifact32.exe"),
                            event.deep_get("Image", default="").endswith("\\artifact32big.exe"),
                            event.deep_get("Image", default="").endswith("obfuscated.exe"),
                            event.deep_get("Image", default="").endswith("obfusc.exe"),
                            event.deep_get("Image", default="").endswith("\\meterpreter"),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "inject.ps1" in event.deep_get("CommandLine", default=""),
                    "Invoke-CVE" in event.deep_get("CommandLine", default=""),
                    "pupy.ps1" in event.deep_get("CommandLine", default=""),
                    "payload.ps1" in event.deep_get("CommandLine", default=""),
                    "beacon.ps1" in event.deep_get("CommandLine", default=""),
                    "PowerView.ps1" in event.deep_get("CommandLine", default=""),
                    "bypass.ps1" in event.deep_get("CommandLine", default=""),
                    "obfuscated.ps1" in event.deep_get("CommandLine", default=""),
                    "obfusc.ps1" in event.deep_get("CommandLine", default=""),
                    "obfus.ps1" in event.deep_get("CommandLine", default=""),
                    "obfs.ps1" in event.deep_get("CommandLine", default=""),
                    "evil.ps1" in event.deep_get("CommandLine", default=""),
                    "MiniDogz.ps1" in event.deep_get("CommandLine", default=""),
                    "_enc.ps1" in event.deep_get("CommandLine", default=""),
                    "\\shell.ps1" in event.deep_get("CommandLine", default=""),
                    "\\rshell.ps1" in event.deep_get("CommandLine", default=""),
                    "revshell.ps1" in event.deep_get("CommandLine", default=""),
                    "\\av.ps1" in event.deep_get("CommandLine", default=""),
                    "\\av_test.ps1" in event.deep_get("CommandLine", default=""),
                    "adrecon.ps1" in event.deep_get("CommandLine", default=""),
                    "mimikatz.ps1" in event.deep_get("CommandLine", default=""),
                    "\\PowerUp_" in event.deep_get("CommandLine", default=""),
                    "powerup.ps1" in event.deep_get("CommandLine", default=""),
                    "\\Temp\\a.ps1" in event.deep_get("CommandLine", default=""),
                    "\\Temp\\p.ps1" in event.deep_get("CommandLine", default=""),
                    "\\Temp\\1.ps1" in event.deep_get("CommandLine", default=""),
                    "Hound.ps1" in event.deep_get("CommandLine", default=""),
                    "encode.ps1" in event.deep_get("CommandLine", default=""),
                    "powercat.ps1" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
