def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\Certipy.exe"),
                    event.deep_get("OriginalFileName", default="") == "Certipy.exe",
                    "Certipy" in event.deep_get("Description", default=""),
                ]
            ),
            all(
                [
                    any(
                        [
                            " account " in event.deep_get("CommandLine", default=""),
                            " auth " in event.deep_get("CommandLine", default=""),
                            " cert " in event.deep_get("CommandLine", default=""),
                            " find " in event.deep_get("CommandLine", default=""),
                            " forge " in event.deep_get("CommandLine", default=""),
                            " ptt " in event.deep_get("CommandLine", default=""),
                            " relay " in event.deep_get("CommandLine", default=""),
                            " req " in event.deep_get("CommandLine", default=""),
                            " shadow " in event.deep_get("CommandLine", default=""),
                            " template " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            " -bloodhound" in event.deep_get("CommandLine", default=""),
                            " -ca-pfx " in event.deep_get("CommandLine", default=""),
                            " -dc-ip " in event.deep_get("CommandLine", default=""),
                            " -kirbi" in event.deep_get("CommandLine", default=""),
                            " -old-bloodhound" in event.deep_get("CommandLine", default=""),
                            " -pfx " in event.deep_get("CommandLine", default=""),
                            " -target" in event.deep_get("CommandLine", default=""),
                            " -template" in event.deep_get("CommandLine", default=""),
                            " -username " in event.deep_get("CommandLine", default=""),
                            " -vulnerable" in event.deep_get("CommandLine", default=""),
                            "auth -pfx" in event.deep_get("CommandLine", default=""),
                            "shadow auto" in event.deep_get("CommandLine", default=""),
                            "shadow list" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
