def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\chisel.exe"),
            all(
                [
                    any(
                        [
                            "exe client " in event.deep_get("CommandLine", default=""),
                            "exe server " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "-socks5" in event.deep_get("CommandLine", default=""),
                            "-reverse" in event.deep_get("CommandLine", default=""),
                            " r:" in event.deep_get("CommandLine", default=""),
                            ":127.0.0.1:" in event.deep_get("CommandLine", default=""),
                            "-tls-skip-verify " in event.deep_get("CommandLine", default=""),
                            ":socks" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
