def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("/crackmapexec"),
                    event.deep_get("Image", default="").endswith("/havoc"),
                    event.deep_get("Image", default="").endswith("/merlin-agent"),
                    event.deep_get("Image", default="").endswith("/merlinServer-Linux-x64"),
                    event.deep_get("Image", default="").endswith("/msfconsole"),
                    event.deep_get("Image", default="").endswith("/msfvenom"),
                    event.deep_get("Image", default="").endswith("/ps-empire server"),
                    event.deep_get("Image", default="").endswith("/ps-empire"),
                    event.deep_get("Image", default="").endswith("/sliver-client"),
                    event.deep_get("Image", default="").endswith("/sliver-server"),
                    event.deep_get("Image", default="").endswith("/Villain.py"),
                ]
            ),
            any(
                [
                    "/cobaltstrike" in event.deep_get("Image", default=""),
                    "/teamserver" in event.deep_get("Image", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("/autorecon"),
                    event.deep_get("Image", default="").endswith("/httpx"),
                    event.deep_get("Image", default="").endswith("/legion"),
                    event.deep_get("Image", default="").endswith("/naabu"),
                    event.deep_get("Image", default="").endswith("/netdiscover"),
                    event.deep_get("Image", default="").endswith("/nuclei"),
                    event.deep_get("Image", default="").endswith("/recon-ng"),
                ]
            ),
            "/sniper" in event.deep_get("Image", default=""),
            any(
                [
                    event.deep_get("Image", default="").endswith("/dirb"),
                    event.deep_get("Image", default="").endswith("/dirbuster"),
                    event.deep_get("Image", default="").endswith("/eyewitness"),
                    event.deep_get("Image", default="").endswith("/feroxbuster"),
                    event.deep_get("Image", default="").endswith("/ffuf"),
                    event.deep_get("Image", default="").endswith("/gobuster"),
                    event.deep_get("Image", default="").endswith("/wfuzz"),
                    event.deep_get("Image", default="").endswith("/whatweb"),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("/joomscan"),
                    event.deep_get("Image", default="").endswith("/nikto"),
                    event.deep_get("Image", default="").endswith("/wpscan"),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("/aircrack-ng"),
                    event.deep_get("Image", default="").endswith("/bloodhound-python"),
                    event.deep_get("Image", default="").endswith("/bpfdos"),
                    event.deep_get("Image", default="").endswith("/ebpfki"),
                    event.deep_get("Image", default="").endswith("/evil-winrm"),
                    event.deep_get("Image", default="").endswith("/hashcat"),
                    event.deep_get("Image", default="").endswith("/hoaxshell.py"),
                    event.deep_get("Image", default="").endswith("/hydra"),
                    event.deep_get("Image", default="").endswith("/john"),
                    event.deep_get("Image", default="").endswith("/ncrack"),
                    event.deep_get("Image", default="").endswith("/nxc-ubuntu-latest"),
                    event.deep_get("Image", default="").endswith("/pidhide"),
                    event.deep_get("Image", default="").endswith("/pspy32"),
                    event.deep_get("Image", default="").endswith("/pspy32s"),
                    event.deep_get("Image", default="").endswith("/pspy64"),
                    event.deep_get("Image", default="").endswith("/pspy64s"),
                    event.deep_get("Image", default="").endswith("/setoolkit"),
                    event.deep_get("Image", default="").endswith("/sqlmap"),
                    event.deep_get("Image", default="").endswith("/writeblocker"),
                ]
            ),
            "/linpeas" in event.deep_get("Image", default=""),
        ]
    ):
        return True
    return False
