def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\cmd.exe"),
            any(
                [
                    event.deep_get("ParentImage", default="").endswith("\\csrss.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\ctfmon.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\dllhost.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\epad.exe"),
                    event.deep_get("ParentImage", default="").endswith(
                        "\\FlashPlayerUpdateService.exe"
                    ),
                    event.deep_get("ParentImage", default="").endswith("\\GoogleUpdate.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\jucheck.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\jusched.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\LogonUI.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\lsass.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\SearchIndexer.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\SearchProtocolHost.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\SIHClient.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\sihost.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\slui.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\spoolsv.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\sppsvc.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\taskhostw.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\unsecapp.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\WerFault.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wermgr.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wlanext.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\WUDFHost.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
