def rule(event):
    if any(
        [
            all(
                [
                    'vbscript:Close(Execute("CreateObject('
                    in event.deep_get("CommandLine", default=""),
                    "powershell" in event.deep_get("CommandLine", default=""),
                    "-w 1 -exec Bypass" in event.deep_get("CommandLine", default=""),
                    "\\ProgramData\\" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "Win32_OperatingSystem" in event.deep_get("CommandLine", default=""),
                    "Win32_NetworkAdapterConfiguration"
                    in event.deep_get("CommandLine", default=""),
                    "root\\SecurityCenter2" in event.deep_get("CommandLine", default=""),
                    "[System.Net.DNS]" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "[Convert]::ToBase64String" in event.deep_get("CommandLine", default=""),
                    "[System.Text.Encoding]::UTF8.GetString]"
                    in event.deep_get("CommandLine", default=""),
                    "GetResponse().GetResponseStream()"
                    in event.deep_get("CommandLine", default=""),
                    "[System.Net.HttpWebRequest]::Create("
                    in event.deep_get("CommandLine", default=""),
                    "-bxor " in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
