import json


def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            any(
                [
                    "=whoami" in json.dumps(event.to_dict()),
                    "=net%20user" in json.dumps(event.to_dict()),
                    "=net+user" in json.dumps(event.to_dict()),
                    "=net%2Buser" in json.dumps(event.to_dict()),
                    "=cmd%20/c%" in json.dumps(event.to_dict()),
                    "=cmd+/c+" in json.dumps(event.to_dict()),
                    "=cmd%2B/c%" in json.dumps(event.to_dict()),
                    "=cmd%20/r%" in json.dumps(event.to_dict()),
                    "=cmd+/r+" in json.dumps(event.to_dict()),
                    "=cmd%2B/r%" in json.dumps(event.to_dict()),
                    "=cmd%20/k%" in json.dumps(event.to_dict()),
                    "=cmd+/k+" in json.dumps(event.to_dict()),
                    "=cmd%2B/k%" in json.dumps(event.to_dict()),
                    "=powershell%" in json.dumps(event.to_dict()),
                    "=powershell+" in json.dumps(event.to_dict()),
                    "=tasklist%" in json.dumps(event.to_dict()),
                    "=tasklist+" in json.dumps(event.to_dict()),
                    "=wmic%" in json.dumps(event.to_dict()),
                    "=wmic+" in json.dumps(event.to_dict()),
                    "=ssh%" in json.dumps(event.to_dict()),
                    "=ssh+" in json.dumps(event.to_dict()),
                    "=python%" in json.dumps(event.to_dict()),
                    "=python+" in json.dumps(event.to_dict()),
                    "=python3%" in json.dumps(event.to_dict()),
                    "=python3+" in json.dumps(event.to_dict()),
                    "=ipconfig" in json.dumps(event.to_dict()),
                    "=wget%" in json.dumps(event.to_dict()),
                    "=wget+" in json.dumps(event.to_dict()),
                    "=curl%" in json.dumps(event.to_dict()),
                    "=curl+" in json.dumps(event.to_dict()),
                    "=certutil" in json.dumps(event.to_dict()),
                    "=copy%20%5C%5C" in json.dumps(event.to_dict()),
                    "=dsquery%" in json.dumps(event.to_dict()),
                    "=dsquery+" in json.dumps(event.to_dict()),
                    "=nltest%" in json.dumps(event.to_dict()),
                    "=nltest+" in json.dumps(event.to_dict()),
                ]
            ),
        ]
    ):
        return True
    return False
