def rule(event):
    if all(
        [
            "ruby" in event.deep_get("Image", default=""),
            " -e" in event.deep_get("CommandLine", default=""),
            "rsocket" in event.deep_get("CommandLine", default=""),
            "TCPSocket" in event.deep_get("CommandLine", default=""),
            any(
                [
                    " ash" in event.deep_get("CommandLine", default=""),
                    " bash" in event.deep_get("CommandLine", default=""),
                    " bsh" in event.deep_get("CommandLine", default=""),
                    " csh" in event.deep_get("CommandLine", default=""),
                    " ksh" in event.deep_get("CommandLine", default=""),
                    " pdksh" in event.deep_get("CommandLine", default=""),
                    " sh" in event.deep_get("CommandLine", default=""),
                    " tcsh" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
