def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/remote_agent.php" in event.deep_get("cs-uri-query", default=""),
            "action=polldata" in event.deep_get("cs-uri-query", default=""),
            "poller_id=" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "| base64 -d | /bin/bash`" in event.deep_get("cs-uri-query", default=""),
                    "%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60"
                    in event.deep_get("cs-uri-query", default=""),
                    "`whoami" in event.deep_get("cs-uri-query", default=""),
                    "powershell" in event.deep_get("cs-uri-query", default=""),
                    "cmd" in event.deep_get("cs-uri-query", default=""),
                    "wget" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
