def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\Certify.exe"),
                    event.deep_get("OriginalFileName", default="") == "Certify.exe",
                    "Certify" in event.deep_get("Description", default=""),
                ]
            ),
            all(
                [
                    any(
                        [
                            ".exe cas " in event.deep_get("CommandLine", default=""),
                            ".exe find " in event.deep_get("CommandLine", default=""),
                            ".exe pkiobjects " in event.deep_get("CommandLine", default=""),
                            ".exe request " in event.deep_get("CommandLine", default=""),
                            ".exe download " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            " /vulnerable" in event.deep_get("CommandLine", default=""),
                            " /template:" in event.deep_get("CommandLine", default=""),
                            " /altname:" in event.deep_get("CommandLine", default=""),
                            " /domain:" in event.deep_get("CommandLine", default=""),
                            " /path:" in event.deep_get("CommandLine", default=""),
                            " /ca:" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
