def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            "Add-MpPreference " in event.deep_get("CommandLine", default=""),
                            "Set-MpPreference " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "DisableArchiveScanning " in event.deep_get("CommandLine", default=""),
                            "DisableRealtimeMonitoring "
                            in event.deep_get("CommandLine", default=""),
                            "DisableIOAVProtection " in event.deep_get("CommandLine", default=""),
                            "DisableBehaviorMonitoring "
                            in event.deep_get("CommandLine", default=""),
                            "DisableBlockAtFirstSeen " in event.deep_get("CommandLine", default=""),
                            "DisableCatchupFullScan " in event.deep_get("CommandLine", default=""),
                            "DisableCatchupQuickScan " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "$true" in event.deep_get("CommandLine", default=""),
                            " 1 " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    any(
                        [
                            any(
                                [
                                    "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUFyY2hpdmVTY2FubmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVpb2F2cHJvdGVjdGlvbi"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlaW9hdnByb3RlY3Rpb24g"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVJT0FWUHJvdGVjdGlvbi"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlSU9BVlByb3RlY3Rpb24g"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy"
                                    in event.deep_get("CommandLine", default=""),
                                    "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg"
                                    in event.deep_get("CommandLine", default=""),
                                    "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    any(
                        [
                            "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA"
                            in event.deep_get("CommandLine", default=""),
                            "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA"
                            in event.deep_get("CommandLine", default=""),
                            "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA"
                            in event.deep_get("CommandLine", default=""),
                            "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA"
                            in event.deep_get("CommandLine", default=""),
                            "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA"
                            in event.deep_get("CommandLine", default=""),
                            "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA"
                            in event.deep_get("CommandLine", default=""),
                            "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA"
                            in event.deep_get("CommandLine", default=""),
                            "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA"
                            in event.deep_get("CommandLine", default=""),
                            "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA"
                            in event.deep_get("CommandLine", default=""),
                            "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA"
                            in event.deep_get("CommandLine", default=""),
                            "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA"
                            in event.deep_get("CommandLine", default=""),
                            "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA"
                            in event.deep_get("CommandLine", default=""),
                            "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA"
                            in event.deep_get("CommandLine", default=""),
                            "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA"
                            in event.deep_get("CommandLine", default=""),
                            "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
