def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\find.exe"),
                                    event.deep_get("Image", default="").endswith("\\findstr.exe"),
                                ]
                            ),
                            event.deep_get("OriginalFileName", default="")
                            in ["FIND.EXE", "FINDSTR.EXE"],
                        ]
                    ),
                    any(
                        [
                            '"Everyone"' in event.deep_get("CommandLine", default=""),
                            "'Everyone'" in event.deep_get("CommandLine", default=""),
                            '"BUILTIN\\"' in event.deep_get("CommandLine", default=""),
                            "'BUILTIN\\'" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    "icacls " in event.deep_get("CommandLine", default=""),
                    "findstr " in event.deep_get("CommandLine", default=""),
                    "Everyone" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
