def rule(event):
    if all(
        [
            "\\Environment\\" in event.deep_get("TargetObject", default=""),
            any(
                [
                    event.deep_get("Details", default="") in ["powershell", "pwsh"],
                    any(
                        [
                            "\\AppData\\Local\\Temp\\" in event.deep_get("Details", default=""),
                            "C:\\Users\\Public\\" in event.deep_get("Details", default=""),
                            "TVqQAAMAAAAEAAAA" in event.deep_get("Details", default=""),
                            "TVpQAAIAAAAEAA8A" in event.deep_get("Details", default=""),
                            "TVqAAAEAAAAEABAA" in event.deep_get("Details", default=""),
                            "TVoAAAAAAAAAAAAA" in event.deep_get("Details", default=""),
                            "TVpTAQEAAAAEAAAA" in event.deep_get("Details", default=""),
                            "SW52b2tlL" in event.deep_get("Details", default=""),
                            "ludm9rZS" in event.deep_get("Details", default=""),
                            "JbnZva2Ut" in event.deep_get("Details", default=""),
                            "SQBuAHYAbwBrAGUALQ" in event.deep_get("Details", default=""),
                            "kAbgB2AG8AawBlAC0A" in event.deep_get("Details", default=""),
                            "JAG4AdgBvAGsAZQAtA" in event.deep_get("Details", default=""),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Details", default="").startswith("SUVY"),
                            event.deep_get("Details", default="").startswith("SQBFAF"),
                            event.deep_get("Details", default="").startswith("SQBuAH"),
                            event.deep_get("Details", default="").startswith("cwBhA"),
                            event.deep_get("Details", default="").startswith("aWV4"),
                            event.deep_get("Details", default="").startswith("aQBlA"),
                            event.deep_get("Details", default="").startswith("R2V0"),
                            event.deep_get("Details", default="").startswith("dmFy"),
                            event.deep_get("Details", default="").startswith("dgBhA"),
                            event.deep_get("Details", default="").startswith("dXNpbm"),
                            event.deep_get("Details", default="").startswith("H4sIA"),
                            event.deep_get("Details", default="").startswith("Y21k"),
                            event.deep_get("Details", default="").startswith("cABhAH"),
                            event.deep_get("Details", default="").startswith("Qzpc"),
                            event.deep_get("Details", default="").startswith("Yzpc"),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
