def rule(event):
    if all(
        [
            any(
                [
                    "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("TargetObject", default=""),
                    "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("TargetObject", default=""),
                    "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
                    in event.deep_get("TargetObject", default=""),
                ]
            ),
            any(
                [
                    "powershell" in event.deep_get("Details", default=""),
                    "pwsh " in event.deep_get("Details", default=""),
                    "FromBase64String" in event.deep_get("Details", default=""),
                    ".DownloadFile(" in event.deep_get("Details", default=""),
                    ".DownloadString(" in event.deep_get("Details", default=""),
                    " -w hidden " in event.deep_get("Details", default=""),
                    " -w 1 " in event.deep_get("Details", default=""),
                    "-windowstyle hidden" in event.deep_get("Details", default=""),
                    "-window hidden" in event.deep_get("Details", default=""),
                    " -nop " in event.deep_get("Details", default=""),
                    " -encodedcommand " in event.deep_get("Details", default=""),
                    "-ExecutionPolicy Bypass" in event.deep_get("Details", default=""),
                    "Invoke-Expression" in event.deep_get("Details", default=""),
                    "IEX (" in event.deep_get("Details", default=""),
                    "Invoke-Command" in event.deep_get("Details", default=""),
                    "ICM -" in event.deep_get("Details", default=""),
                    "Invoke-WebRequest" in event.deep_get("Details", default=""),
                    "IWR " in event.deep_get("Details", default=""),
                    "Invoke-RestMethod" in event.deep_get("Details", default=""),
                    "IRM " in event.deep_get("Details", default=""),
                    " -noni " in event.deep_get("Details", default=""),
                    " -noninteractive " in event.deep_get("Details", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
