def rule(event):
    if any(
        [
            "type %windir%\\system32\\ntdll.dll" in event.deep_get("CommandLine", default=""),
            "type %systemroot%\\system32\\ntdll.dll" in event.deep_get("CommandLine", default=""),
            "type c:\\windows\\system32\\ntdll.dll" in event.deep_get("CommandLine", default=""),
            "\\ntdll.dll > \\\\.\\pipe\\" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
