def rule(event):
    if all(
        [
            "\\Shell\\Open\\Command" in event.deep_get("TargetObject", default=""),
            any(
                [
                    "powershell" in event.deep_get("Details", default=""),
                    "pwsh" in event.deep_get("Details", default=""),
                ]
            ),
            "System.Security.Cryptography." in event.deep_get("Details", default=""),
            any(
                [
                    ".AesCryptoServiceProvider" in event.deep_get("Details", default=""),
                    ".DESCryptoServiceProvider" in event.deep_get("Details", default=""),
                    ".DSACryptoServiceProvider" in event.deep_get("Details", default=""),
                    ".RC2CryptoServiceProvider" in event.deep_get("Details", default=""),
                    ".Rijndael" in event.deep_get("Details", default=""),
                    ".RSACryptoServiceProvider" in event.deep_get("Details", default=""),
                    ".TripleDESCryptoServiceProvider" in event.deep_get("Details", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
