def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            any(
                                [
                                    event.deep_get("ImageLoaded", default="").endswith(
                                        "\\WsmSvc.dll"
                                    ),
                                    event.deep_get("ImageLoaded", default="").endswith(
                                        "\\WsmAuto.dll"
                                    ),
                                    event.deep_get("ImageLoaded", default="").endswith(
                                        "\\Microsoft.WSMan.Management.ni.dll"
                                    ),
                                ]
                            ),
                            event.deep_get("OriginalFileName", default="")
                            in [
                                "WsmSvc.dll",
                                "WSMANAUTOMATION.DLL",
                                "Microsoft.WSMan.Management.dll",
                            ],
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\svchost.exe"),
                            event.deep_get("OriginalFileName", default="") == "WsmWmiPl.dll",
                        ]
                    ),
                ]
            ),
            not any(
                [
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe",
                        "C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe",
                        "C:\\Program Files\\PowerShell\\6\\pwsh.exe",
                        "C:\\Program Files\\PowerShell\\7\\pwsh.exe",
                        "C:\\Windows\\System32\\sdiagnhost.exe",
                        "C:\\Windows\\System32\\services.exe",
                        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
                        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
                    ],
                    any(
                        [
                            "svchost.exe -k netsvcs -p -s BITS"
                            in event.deep_get("CommandLine", default=""),
                            "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc"
                            in event.deep_get("CommandLine", default=""),
                            "svchost.exe -k NetworkService -p -s Wecsvc"
                            in event.deep_get("CommandLine", default=""),
                            "svchost.exe -k netsvcs" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\Framework64\\v"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\Framework\\v"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v"
                                    ),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("\\mscorsvw.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Windows\\System32\\Configure-SMRemoting.exe",
                        "C:\\Windows\\System32\\ServerManager.exe",
                    ],
                    event.deep_get("Image", default="").startswith(
                        "C:\\Windows\\Temp\\asgard2-agent\\"
                    ),
                    event.deep_get("Image", default="").startswith("C:\\Program Files\\Citrix\\"),
                    event.deep_get("Image", default="").startswith("C:\\$WINDOWS.~BT\\Sources\\"),
                    event.deep_get("Image", default="").endswith("\\mmc.exe"),
                ]
            ),
            not all(
                [
                    event.deep_get("Image", default="").endswith("\\svchost.exe"),
                    event.deep_get("CommandLine", default="") == "",
                ]
            ),
        ]
    ):
        return True
    return False
