def rule(event):
    if all(
        [
            "txt:" in event.deep_get("CommandLine", default=""),
            any(
                [
                    all(
                        [
                            "type " in event.deep_get("CommandLine", default=""),
                            " > " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "makecab " in event.deep_get("CommandLine", default=""),
                            ".cab" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "reg " in event.deep_get("CommandLine", default=""),
                            " export " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "regedit " in event.deep_get("CommandLine", default=""),
                            " /E " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "esentutl " in event.deep_get("CommandLine", default=""),
                            " /y " in event.deep_get("CommandLine", default=""),
                            " /d " in event.deep_get("CommandLine", default=""),
                            " /o " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
