def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Description", default="") == "WMI Commandline Utility",
                    event.deep_get("OriginalFileName", default="") == "wmic.exe",
                    event.deep_get("Image", default="").endswith("\\WMIC.exe"),
                ]
            ),
            "get" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "baseboard" in event.deep_get("CommandLine", default=""),
                    "bios" in event.deep_get("CommandLine", default=""),
                    "cpu" in event.deep_get("CommandLine", default=""),
                    "diskdrive" in event.deep_get("CommandLine", default=""),
                    "logicaldisk" in event.deep_get("CommandLine", default=""),
                    "memphysical" in event.deep_get("CommandLine", default=""),
                    "os" in event.deep_get("CommandLine", default=""),
                    "path" in event.deep_get("CommandLine", default=""),
                    "startup" in event.deep_get("CommandLine", default=""),
                    "win32_videocontroller" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "caption" in event.deep_get("CommandLine", default=""),
                    "command" in event.deep_get("CommandLine", default=""),
                    "driverversion" in event.deep_get("CommandLine", default=""),
                    "maxcapacity" in event.deep_get("CommandLine", default=""),
                    "name" in event.deep_get("CommandLine", default=""),
                    "osarchitecture" in event.deep_get("CommandLine", default=""),
                    "product" in event.deep_get("CommandLine", default=""),
                    "size" in event.deep_get("CommandLine", default=""),
                    "smbiosbiosversion" in event.deep_get("CommandLine", default=""),
                    "version" in event.deep_get("CommandLine", default=""),
                    "videomodedescription" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not "\\VMware\\VMware Tools\\serviceDiscovery\\scripts\\"
            in event.deep_get("ParentCommandLine", default=""),
        ]
    ):
        return True
    return False
