def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "POST",
            "/login/index.php" in event.deep_get("cs-uri-query", default=""),
            "login=" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "login=$(" in event.deep_get("cs-uri-query", default=""),
                    "base64" in event.deep_get("cs-uri-query", default=""),
                    "subprocess" in event.deep_get("cs-uri-query", default=""),
                    "socket" in event.deep_get("cs-uri-query", default=""),
                    "${IFS}" in event.deep_get("cs-uri-query", default=""),
                    "cHl0aG9u" in event.deep_get("cs-uri-query", default=""),
                    "B5dGhvb" in event.deep_get("cs-uri-query", default=""),
                    "weXRob2" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
