def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("OriginalFileName", default="")
                    in ["powershell_ise.exe", "PowerShell.EXE", "pwsh.dll"],
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "-executionpolicy " in event.deep_get("CommandLine", default=""),
                    " -ep " in event.deep_get("CommandLine", default=""),
                    " -exec " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "Bypass" in event.deep_get("CommandLine", default=""),
                    "Unrestricted" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not all(
                [
                    event.deep_get("ParentImage", default="")
                    in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"],
                    any(
                        [
                            '-NoProfile -ExecutionPolicy Bypass -File "C:\\Program Files\\PowerShell\\7\\'
                            in event.deep_get("CommandLine", default=""),
                            '-NoProfile -ExecutionPolicy Bypass -File "C:\\Program Files (x86)\\PowerShell\\7\\'
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            not all(
                [
                    any(
                        [
                            "C:\\Program Files\\Avast Software\\Avast\\"
                            in event.deep_get("ParentImage", default=""),
                            "C:\\Program Files (x86)\\Avast Software\\Avast\\"
                            in event.deep_get("ParentImage", default=""),
                            "\\instup.exe" in event.deep_get("ParentImage", default=""),
                        ]
                    ),
                    any(
                        [
                            '-ExecutionPolicy ByPass -File "C:\\Program Files\\Avast Software\\Avast'
                            in event.deep_get("CommandLine", default=""),
                            '-ExecutionPolicy ByPass -File "C:\\Program Files (x86)\\Avast Software\\Avast\\'
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
