def rule(event):
    if all(
        [
            any(
                [
                    ":\\Windows\\Sysnative\\" in event.deep_get("CommandLine", default=""),
                    ":\\Windows\\Sysnative\\" in event.deep_get("Image", default=""),
                ]
            ),
            not all(
                [
                    any(
                        [
                            "C:\\Windows\\Microsoft.NET\\Framework64\\v"
                            in event.deep_get("Image", default=""),
                            "C:\\Windows\\Microsoft.NET\\Framework\\v"
                            in event.deep_get("Image", default=""),
                            "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v"
                            in event.deep_get("Image", default=""),
                            "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v"
                            in event.deep_get("Image", default=""),
                        ]
                    ),
                    event.deep_get("Image", default="").endswith("\\ngen.exe"),
                    "install" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not all(
                [
                    '"C:\\Windows\\sysnative\\cmd.exe"'
                    in event.deep_get("CommandLine", default=""),
                    "\\xampp\\" in event.deep_get("CommandLine", default=""),
                    "\\catalina_start.bat" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
