def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\w3wp.exe"),
                ]
            ),
            any(
                [
                    event.deep_get("TargetFilename", default="").startswith(
                        "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\"
                    ),
                    event.deep_get("TargetFilename", default="").startswith(
                        "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\"
                    ),
                ]
            ),
            any(
                [
                    "\\15\\TEMPLATE\\LAYOUTS\\" in event.deep_get("TargetFilename", default=""),
                    "\\16\\TEMPLATE\\LAYOUTS\\" in event.deep_get("TargetFilename", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith(".asax"),
                    event.deep_get("TargetFilename", default="").endswith(".ascx"),
                    event.deep_get("TargetFilename", default="").endswith(".ashx"),
                    event.deep_get("TargetFilename", default="").endswith(".asmx"),
                    event.deep_get("TargetFilename", default="").endswith(".asp"),
                    event.deep_get("TargetFilename", default="").endswith(".aspx"),
                    event.deep_get("TargetFilename", default="").endswith(".bat"),
                    event.deep_get("TargetFilename", default="").endswith(".cmd"),
                    event.deep_get("TargetFilename", default="").endswith(".cer"),
                    event.deep_get("TargetFilename", default="").endswith(".config"),
                    event.deep_get("TargetFilename", default="").endswith(".hta"),
                    event.deep_get("TargetFilename", default="").endswith(".js"),
                    event.deep_get("TargetFilename", default="").endswith(".jsp"),
                    event.deep_get("TargetFilename", default="").endswith(".jspx"),
                    event.deep_get("TargetFilename", default="").endswith(".php"),
                    event.deep_get("TargetFilename", default="").endswith(".ps1"),
                    event.deep_get("TargetFilename", default="").endswith(".vbs"),
                ]
            ),
        ]
    ):
        return True
    return False
