def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["PowerShell.EXE", "pwsh.dll"],
                ]
            ),
            "System.Security.Cryptography." in event.deep_get("CommandLine", default=""),
            any(
                [
                    ".AesCryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                    ".DESCryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                    ".DSACryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                    ".RC2CryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                    ".Rijndael" in event.deep_get("CommandLine", default=""),
                    ".RSACryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                    ".TripleDESCryptoServiceProvider" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
