def rule(event):
    if all(
        [
            "reg" in event.deep_get("CommandLine", default=""),
            "add" in event.deep_get("CommandLine", default=""),
            "d 4" in event.deep_get("CommandLine", default=""),
            "v Start" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "\\AppIDSvc" in event.deep_get("CommandLine", default=""),
                    "\\MsMpSvc" in event.deep_get("CommandLine", default=""),
                    "\\NisSrv" in event.deep_get("CommandLine", default=""),
                    "\\SecurityHealthService" in event.deep_get("CommandLine", default=""),
                    "\\Sense" in event.deep_get("CommandLine", default=""),
                    "\\UsoSvc" in event.deep_get("CommandLine", default=""),
                    "\\WdBoot" in event.deep_get("CommandLine", default=""),
                    "\\WdFilter" in event.deep_get("CommandLine", default=""),
                    "\\WdNisDrv" in event.deep_get("CommandLine", default=""),
                    "\\WdNisSvc" in event.deep_get("CommandLine", default=""),
                    "\\WinDefend" in event.deep_get("CommandLine", default=""),
                    "\\wscsvc" in event.deep_get("CommandLine", default=""),
                    "\\wuauserv" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
