import re


def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\curl.exe"),
                    event.deep_get("OriginalFileName", default="") == "curl.exe",
                ]
            ),
            re.match(
                r"://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}",
                event.deep_get("CommandLine", default=""),
            ),
            "http" in event.deep_get("CommandLine", default=""),
            any(
                [
                    " -O" in event.deep_get("CommandLine", default=""),
                    "--remote-name" in event.deep_get("CommandLine", default=""),
                    "--output" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not any(
                [
                    event.deep_get("CommandLine", default="").endswith(".bat"),
                    event.deep_get("CommandLine", default="").endswith('.bat"'),
                    event.deep_get("CommandLine", default="").endswith(".dat"),
                    event.deep_get("CommandLine", default="").endswith('.dat"'),
                    event.deep_get("CommandLine", default="").endswith(".dll"),
                    event.deep_get("CommandLine", default="").endswith('.dll"'),
                    event.deep_get("CommandLine", default="").endswith(".exe"),
                    event.deep_get("CommandLine", default="").endswith('.exe"'),
                    event.deep_get("CommandLine", default="").endswith(".gif"),
                    event.deep_get("CommandLine", default="").endswith('.gif"'),
                    event.deep_get("CommandLine", default="").endswith(".hta"),
                    event.deep_get("CommandLine", default="").endswith('.hta"'),
                    event.deep_get("CommandLine", default="").endswith(".jpeg"),
                    event.deep_get("CommandLine", default="").endswith('.jpeg"'),
                    event.deep_get("CommandLine", default="").endswith(".log"),
                    event.deep_get("CommandLine", default="").endswith('.log"'),
                    event.deep_get("CommandLine", default="").endswith(".msi"),
                    event.deep_get("CommandLine", default="").endswith('.msi"'),
                    event.deep_get("CommandLine", default="").endswith(".png"),
                    event.deep_get("CommandLine", default="").endswith('.png"'),
                    event.deep_get("CommandLine", default="").endswith(".ps1"),
                    event.deep_get("CommandLine", default="").endswith('.ps1"'),
                    event.deep_get("CommandLine", default="").endswith(".psm1"),
                    event.deep_get("CommandLine", default="").endswith('.psm1"'),
                    event.deep_get("CommandLine", default="").endswith(".vbe"),
                    event.deep_get("CommandLine", default="").endswith('.vbe"'),
                    event.deep_get("CommandLine", default="").endswith(".vbs"),
                    event.deep_get("CommandLine", default="").endswith('.vbs"'),
                    event.deep_get("CommandLine", default="").endswith(".bat'"),
                    event.deep_get("CommandLine", default="").endswith(".dat'"),
                    event.deep_get("CommandLine", default="").endswith(".dll'"),
                    event.deep_get("CommandLine", default="").endswith(".exe'"),
                    event.deep_get("CommandLine", default="").endswith(".gif'"),
                    event.deep_get("CommandLine", default="").endswith(".hta'"),
                    event.deep_get("CommandLine", default="").endswith(".jpeg'"),
                    event.deep_get("CommandLine", default="").endswith(".log'"),
                    event.deep_get("CommandLine", default="").endswith(".msi'"),
                    event.deep_get("CommandLine", default="").endswith(".png'"),
                    event.deep_get("CommandLine", default="").endswith(".ps1'"),
                    event.deep_get("CommandLine", default="").endswith(".psm1'"),
                    event.deep_get("CommandLine", default="").endswith(".vbe'"),
                    event.deep_get("CommandLine", default="").endswith(".vbs'"),
                ]
            ),
        ]
    ):
        return True
    return False
