def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("OriginalFileName", default="")
                    in [
                        "net.exe",
                        "net1.exe",
                        "PowerShell_ISE.EXE",
                        "PowerShell.EXE",
                        "psservice.exe",
                        "pwsh.dll",
                        "sc.exe",
                        "wmic.exe",
                    ],
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\net.exe"),
                            event.deep_get("Image", default="").endswith("\\net1.exe"),
                            event.deep_get("Image", default="").endswith("\\PowerShell_ISE.EXE"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\PsService.exe"),
                            event.deep_get("Image", default="").endswith("\\PsService64.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                            event.deep_get("Image", default="").endswith("\\sc.exe"),
                            event.deep_get("Image", default="").endswith("\\wmic.exe"),
                        ]
                    ),
                ]
            ),
            any(
                [
                    any(
                        [
                            " delete " in event.deep_get("CommandLine", default=""),
                            ".delete()" in event.deep_get("CommandLine", default=""),
                            " pause " in event.deep_get("CommandLine", default=""),
                            " stop " in event.deep_get("CommandLine", default=""),
                            "Stop-Service " in event.deep_get("CommandLine", default=""),
                            "Remove-Service " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "config" in event.deep_get("CommandLine", default=""),
                            "start=disabled" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "143Svc" in event.deep_get("CommandLine", default=""),
                    "Acronis VSS Provider" in event.deep_get("CommandLine", default=""),
                    "AcronisAgent" in event.deep_get("CommandLine", default=""),
                    "AcrSch2Svc" in event.deep_get("CommandLine", default=""),
                    "AdobeARMservice" in event.deep_get("CommandLine", default=""),
                    "AHS Service" in event.deep_get("CommandLine", default=""),
                    "Antivirus" in event.deep_get("CommandLine", default=""),
                    "Apache4" in event.deep_get("CommandLine", default=""),
                    "ARSM" in event.deep_get("CommandLine", default=""),
                    "aswBcc" in event.deep_get("CommandLine", default=""),
                    "AteraAgent" in event.deep_get("CommandLine", default=""),
                    "Avast Business Console Client Antivirus Service"
                    in event.deep_get("CommandLine", default=""),
                    "avast! Antivirus" in event.deep_get("CommandLine", default=""),
                    "AVG Antivirus" in event.deep_get("CommandLine", default=""),
                    "avgAdminClient" in event.deep_get("CommandLine", default=""),
                    "AvgAdminServer" in event.deep_get("CommandLine", default=""),
                    "AVP1" in event.deep_get("CommandLine", default=""),
                    "BackupExec" in event.deep_get("CommandLine", default=""),
                    "bedbg" in event.deep_get("CommandLine", default=""),
                    "BITS" in event.deep_get("CommandLine", default=""),
                    "BrokerInfrastructure" in event.deep_get("CommandLine", default=""),
                    "CASLicenceServer" in event.deep_get("CommandLine", default=""),
                    "CASWebServer" in event.deep_get("CommandLine", default=""),
                    "Client Agent 7.60" in event.deep_get("CommandLine", default=""),
                    "Core Browsing Protection" in event.deep_get("CommandLine", default=""),
                    "Core Mail Protection" in event.deep_get("CommandLine", default=""),
                    "Core Scanning Server" in event.deep_get("CommandLine", default=""),
                    "DCAgent" in event.deep_get("CommandLine", default=""),
                    "dwmrcs" in event.deep_get("CommandLine", default=""),
                    "EhttpSr" in event.deep_get("CommandLine", default=""),
                    "ekrn" in event.deep_get("CommandLine", default=""),
                    "Enterprise Client Service" in event.deep_get("CommandLine", default=""),
                    "epag" in event.deep_get("CommandLine", default=""),
                    "EPIntegrationService" in event.deep_get("CommandLine", default=""),
                    "EPProtectedService" in event.deep_get("CommandLine", default=""),
                    "EPRedline" in event.deep_get("CommandLine", default=""),
                    "EPSecurityService" in event.deep_get("CommandLine", default=""),
                    "EPUpdateService" in event.deep_get("CommandLine", default=""),
                    "EraserSvc11710" in event.deep_get("CommandLine", default=""),
                    "EsgShKernel" in event.deep_get("CommandLine", default=""),
                    "ESHASRV" in event.deep_get("CommandLine", default=""),
                    "FA_Scheduler" in event.deep_get("CommandLine", default=""),
                    "FirebirdGuardianDefaultInstance" in event.deep_get("CommandLine", default=""),
                    "FirebirdServerDefaultInstance" in event.deep_get("CommandLine", default=""),
                    "FontCache3.0.0.0" in event.deep_get("CommandLine", default=""),
                    "HealthTLService" in event.deep_get("CommandLine", default=""),
                    "hmpalertsvc" in event.deep_get("CommandLine", default=""),
                    "HMS" in event.deep_get("CommandLine", default=""),
                    "HostControllerService" in event.deep_get("CommandLine", default=""),
                    "hvdsvc" in event.deep_get("CommandLine", default=""),
                    "IAStorDataMgrSvc" in event.deep_get("CommandLine", default=""),
                    "IBMHPS" in event.deep_get("CommandLine", default=""),
                    "ibmspsvc" in event.deep_get("CommandLine", default=""),
                    "IISAdmin" in event.deep_get("CommandLine", default=""),
                    "IMANSVC" in event.deep_get("CommandLine", default=""),
                    "IMAP4Svc" in event.deep_get("CommandLine", default=""),
                    "instance2" in event.deep_get("CommandLine", default=""),
                    "KAVFS" in event.deep_get("CommandLine", default=""),
                    "KAVFSGT" in event.deep_get("CommandLine", default=""),
                    "kavfsslp" in event.deep_get("CommandLine", default=""),
                    "KeyIso" in event.deep_get("CommandLine", default=""),
                    "klbackupdisk" in event.deep_get("CommandLine", default=""),
                    "klbackupflt" in event.deep_get("CommandLine", default=""),
                    "klflt" in event.deep_get("CommandLine", default=""),
                    "klhk" in event.deep_get("CommandLine", default=""),
                    "KLIF" in event.deep_get("CommandLine", default=""),
                    "klim6" in event.deep_get("CommandLine", default=""),
                    "klkbdflt" in event.deep_get("CommandLine", default=""),
                    "klmouflt" in event.deep_get("CommandLine", default=""),
                    "klnagent" in event.deep_get("CommandLine", default=""),
                    "klpd" in event.deep_get("CommandLine", default=""),
                    "kltap" in event.deep_get("CommandLine", default=""),
                    "KSDE1.0.0" in event.deep_get("CommandLine", default=""),
                    "LogProcessorService" in event.deep_get("CommandLine", default=""),
                    "M8EndpointAgent" in event.deep_get("CommandLine", default=""),
                    "macmnsvc" in event.deep_get("CommandLine", default=""),
                    "masvc" in event.deep_get("CommandLine", default=""),
                    "MBAMService" in event.deep_get("CommandLine", default=""),
                    "MBCloudEA" in event.deep_get("CommandLine", default=""),
                    "MBEndpointAgent" in event.deep_get("CommandLine", default=""),
                    "McAfeeDLPAgentService" in event.deep_get("CommandLine", default=""),
                    "McAfeeEngineService" in event.deep_get("CommandLine", default=""),
                    "MCAFEEEVENTPARSERSRV" in event.deep_get("CommandLine", default=""),
                    "McAfeeFramework" in event.deep_get("CommandLine", default=""),
                    "MCAFEETOMCATSRV530" in event.deep_get("CommandLine", default=""),
                    "McShield" in event.deep_get("CommandLine", default=""),
                    "McTaskManager" in event.deep_get("CommandLine", default=""),
                    "mfefire" in event.deep_get("CommandLine", default=""),
                    "mfemms" in event.deep_get("CommandLine", default=""),
                    "mfevto" in event.deep_get("CommandLine", default=""),
                    "mfevtp" in event.deep_get("CommandLine", default=""),
                    "mfewc" in event.deep_get("CommandLine", default=""),
                    "MMS" in event.deep_get("CommandLine", default=""),
                    "mozyprobackup" in event.deep_get("CommandLine", default=""),
                    "mpssvc" in event.deep_get("CommandLine", default=""),
                    "MSComplianceAudit" in event.deep_get("CommandLine", default=""),
                    "MSDTC" in event.deep_get("CommandLine", default=""),
                    "MsDtsServer" in event.deep_get("CommandLine", default=""),
                    "MSExchange" in event.deep_get("CommandLine", default=""),
                    "msftesq1SPROO" in event.deep_get("CommandLine", default=""),
                    "msftesql$PROD" in event.deep_get("CommandLine", default=""),
                    "msftesql$SQLEXPRESS" in event.deep_get("CommandLine", default=""),
                    "MSOLAP$SQL_2008" in event.deep_get("CommandLine", default=""),
                    "MSOLAP$SYSTEM_BGC" in event.deep_get("CommandLine", default=""),
                    "MSOLAP$TPS" in event.deep_get("CommandLine", default=""),
                    "MSOLAP$TPSAMA" in event.deep_get("CommandLine", default=""),
                    "MSOLAPSTPS" in event.deep_get("CommandLine", default=""),
                    "MSOLAPSTPSAMA" in event.deep_get("CommandLine", default=""),
                    "mssecflt" in event.deep_get("CommandLine", default=""),
                    "MSSQ!I.SPROFXENGAGEMEHT" in event.deep_get("CommandLine", default=""),
                    "MSSQ0SHAREPOINT" in event.deep_get("CommandLine", default=""),
                    "MSSQ0SOPHOS" in event.deep_get("CommandLine", default=""),
                    "MSSQL" in event.deep_get("CommandLine", default=""),
                    "MSSQLFDLauncher$" in event.deep_get("CommandLine", default=""),
                    "MySQL" in event.deep_get("CommandLine", default=""),
                    "NanoServiceMain" in event.deep_get("CommandLine", default=""),
                    "NetMsmqActivator" in event.deep_get("CommandLine", default=""),
                    "NetPipeActivator" in event.deep_get("CommandLine", default=""),
                    "netprofm" in event.deep_get("CommandLine", default=""),
                    "NetTcpActivator" in event.deep_get("CommandLine", default=""),
                    "NetTcpPortSharing" in event.deep_get("CommandLine", default=""),
                    "ntrtscan" in event.deep_get("CommandLine", default=""),
                    "nvspwmi" in event.deep_get("CommandLine", default=""),
                    "ofcservice" in event.deep_get("CommandLine", default=""),
                    "Online Protection System" in event.deep_get("CommandLine", default=""),
                    "OracleClientCache80" in event.deep_get("CommandLine", default=""),
                    "OracleDBConsole" in event.deep_get("CommandLine", default=""),
                    "OracleMTSRecoveryService" in event.deep_get("CommandLine", default=""),
                    "OracleOraDb11g_home1" in event.deep_get("CommandLine", default=""),
                    "OracleService" in event.deep_get("CommandLine", default=""),
                    "OracleVssWriter" in event.deep_get("CommandLine", default=""),
                    "osppsvc" in event.deep_get("CommandLine", default=""),
                    "PandaAetherAgent" in event.deep_get("CommandLine", default=""),
                    "PccNTUpd" in event.deep_get("CommandLine", default=""),
                    "PDVFSService" in event.deep_get("CommandLine", default=""),
                    "POP3Svc" in event.deep_get("CommandLine", default=""),
                    "postgresql-x64-9.4" in event.deep_get("CommandLine", default=""),
                    "POVFSService" in event.deep_get("CommandLine", default=""),
                    "PSUAService" in event.deep_get("CommandLine", default=""),
                    "Quick Update Service" in event.deep_get("CommandLine", default=""),
                    "RepairService" in event.deep_get("CommandLine", default=""),
                    "ReportServer" in event.deep_get("CommandLine", default=""),
                    "ReportServer$" in event.deep_get("CommandLine", default=""),
                    "RESvc" in event.deep_get("CommandLine", default=""),
                    "RpcEptMapper" in event.deep_get("CommandLine", default=""),
                    "sacsvr" in event.deep_get("CommandLine", default=""),
                    "SamSs" in event.deep_get("CommandLine", default=""),
                    "SAVAdminService" in event.deep_get("CommandLine", default=""),
                    "SAVService" in event.deep_get("CommandLine", default=""),
                    "ScSecSvc" in event.deep_get("CommandLine", default=""),
                    "SDRSVC" in event.deep_get("CommandLine", default=""),
                    "SearchExchangeTracing" in event.deep_get("CommandLine", default=""),
                    "sense" in event.deep_get("CommandLine", default=""),
                    "SentinelAgent" in event.deep_get("CommandLine", default=""),
                    "SentinelHelperService" in event.deep_get("CommandLine", default=""),
                    "SepMasterService" in event.deep_get("CommandLine", default=""),
                    "ShMonitor" in event.deep_get("CommandLine", default=""),
                    "Smcinst" in event.deep_get("CommandLine", default=""),
                    "SmcService" in event.deep_get("CommandLine", default=""),
                    "SMTPSvc" in event.deep_get("CommandLine", default=""),
                    "SNAC" in event.deep_get("CommandLine", default=""),
                    "SntpService" in event.deep_get("CommandLine", default=""),
                    "Sophos" in event.deep_get("CommandLine", default=""),
                    "SQ1SafeOLRService" in event.deep_get("CommandLine", default=""),
                    "SQL Backups" in event.deep_get("CommandLine", default=""),
                    "SQL Server" in event.deep_get("CommandLine", default=""),
                    "SQLAgent" in event.deep_get("CommandLine", default=""),
                    "SQLANYs_Sage_FAS_Fixed_Assets" in event.deep_get("CommandLine", default=""),
                    "SQLBrowser" in event.deep_get("CommandLine", default=""),
                    "SQLsafe" in event.deep_get("CommandLine", default=""),
                    "SQLSERVERAGENT" in event.deep_get("CommandLine", default=""),
                    "SQLTELEMETRY" in event.deep_get("CommandLine", default=""),
                    "SQLWriter" in event.deep_get("CommandLine", default=""),
                    "SSISTELEMETRY130" in event.deep_get("CommandLine", default=""),
                    "SstpSvc" in event.deep_get("CommandLine", default=""),
                    "storflt" in event.deep_get("CommandLine", default=""),
                    "svcGenericHost" in event.deep_get("CommandLine", default=""),
                    "swc_service" in event.deep_get("CommandLine", default=""),
                    "swi_filter" in event.deep_get("CommandLine", default=""),
                    "swi_service" in event.deep_get("CommandLine", default=""),
                    "swi_update" in event.deep_get("CommandLine", default=""),
                    "Symantec" in event.deep_get("CommandLine", default=""),
                    "sysmon" in event.deep_get("CommandLine", default=""),
                    "TeamViewer" in event.deep_get("CommandLine", default=""),
                    "Telemetryserver" in event.deep_get("CommandLine", default=""),
                    "ThreatLockerService" in event.deep_get("CommandLine", default=""),
                    "TMBMServer" in event.deep_get("CommandLine", default=""),
                    "TmCCSF" in event.deep_get("CommandLine", default=""),
                    "TmFilter" in event.deep_get("CommandLine", default=""),
                    "TMiCRCScanService" in event.deep_get("CommandLine", default=""),
                    "tmlisten" in event.deep_get("CommandLine", default=""),
                    "TMLWCSService" in event.deep_get("CommandLine", default=""),
                    "TmPfw" in event.deep_get("CommandLine", default=""),
                    "TmPreFilter" in event.deep_get("CommandLine", default=""),
                    "TmProxy" in event.deep_get("CommandLine", default=""),
                    "TMSmartRelayService" in event.deep_get("CommandLine", default=""),
                    "tmusa" in event.deep_get("CommandLine", default=""),
                    "Tomcat" in event.deep_get("CommandLine", default=""),
                    "Trend Micro Deep Security Manager"
                    in event.deep_get("CommandLine", default=""),
                    "TrueKey" in event.deep_get("CommandLine", default=""),
                    "UFNet" in event.deep_get("CommandLine", default=""),
                    "UI0Detect" in event.deep_get("CommandLine", default=""),
                    "UniFi" in event.deep_get("CommandLine", default=""),
                    "UTODetect" in event.deep_get("CommandLine", default=""),
                    "vds" in event.deep_get("CommandLine", default=""),
                    "Veeam" in event.deep_get("CommandLine", default=""),
                    "VeeamDeploySvc" in event.deep_get("CommandLine", default=""),
                    "Veritas System Recovery" in event.deep_get("CommandLine", default=""),
                    "vmic" in event.deep_get("CommandLine", default=""),
                    "VMTools" in event.deep_get("CommandLine", default=""),
                    "vmvss" in event.deep_get("CommandLine", default=""),
                    "VSApiNt" in event.deep_get("CommandLine", default=""),
                    "VSS" in event.deep_get("CommandLine", default=""),
                    "W3Svc" in event.deep_get("CommandLine", default=""),
                    "wbengine" in event.deep_get("CommandLine", default=""),
                    "WdNisSvc" in event.deep_get("CommandLine", default=""),
                    "WeanClOudSve" in event.deep_get("CommandLine", default=""),
                    "Weems JY" in event.deep_get("CommandLine", default=""),
                    "WinDefend" in event.deep_get("CommandLine", default=""),
                    "wmms" in event.deep_get("CommandLine", default=""),
                    "wozyprobackup" in event.deep_get("CommandLine", default=""),
                    "WPFFontCache_v0400" in event.deep_get("CommandLine", default=""),
                    "WRSVC" in event.deep_get("CommandLine", default=""),
                    "wsbexchange" in event.deep_get("CommandLine", default=""),
                    "WSearch" in event.deep_get("CommandLine", default=""),
                    "wscsvc" in event.deep_get("CommandLine", default=""),
                    "Zoolz 2 Service" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
