def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    " /c" in event.deep_get("CommandLine", default=""),
                    "dir " in event.deep_get("CommandLine", default=""),
                    "\\Users\\" in event.deep_get("CommandLine", default=""),
                    not " rmdir " in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\net.exe"),
                            event.deep_get("Image", default="").endswith("\\net1.exe"),
                        ]
                    ),
                    "user" in event.deep_get("CommandLine", default=""),
                    not any(
                        [
                            "/domain" in event.deep_get("CommandLine", default=""),
                            "/add" in event.deep_get("CommandLine", default=""),
                            "/delete" in event.deep_get("CommandLine", default=""),
                            "/active" in event.deep_get("CommandLine", default=""),
                            "/expires" in event.deep_get("CommandLine", default=""),
                            "/passwordreq" in event.deep_get("CommandLine", default=""),
                            "/scriptpath" in event.deep_get("CommandLine", default=""),
                            "/times" in event.deep_get("CommandLine", default=""),
                            "/workstations" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    any(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\whoami.exe"),
                                    event.deep_get("Image", default="").endswith("\\quser.exe"),
                                    event.deep_get("Image", default="").endswith("\\qwinsta.exe"),
                                ]
                            ),
                            event.deep_get("OriginalFileName", default="")
                            in ["whoami.exe", "quser.exe", "qwinsta.exe"],
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\wmic.exe"),
                            "useraccount" in event.deep_get("CommandLine", default=""),
                            "get" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\cmdkey.exe"),
                            " /l" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
