def rule(event):
    if any(
        [
            all(
                [
                    "System.Management.Automation.AmsiUtils"
                    in event.deep_get("CommandLine", default=""),
                    "amsiInitFailed" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "[Ref].Assembly.GetType" in event.deep_get("CommandLine", default=""),
                    "SetValue($null,$true)" in event.deep_get("CommandLine", default=""),
                    "NonPublic,Static" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
