def rule(event):
    if all(
        [
            any(
                [
                    " -u system " in event.deep_get("CommandLine", default=""),
                    " --user system " in event.deep_get("CommandLine", default=""),
                    " -u NT" in event.deep_get("CommandLine", default=""),
                    ' -u "NT' in event.deep_get("CommandLine", default=""),
                    " -u 'NT" in event.deep_get("CommandLine", default=""),
                    " --system " in event.deep_get("CommandLine", default=""),
                    " -u administrator " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    " -c cmd" in event.deep_get("CommandLine", default=""),
                    ' -c "cmd' in event.deep_get("CommandLine", default=""),
                    " -c powershell" in event.deep_get("CommandLine", default=""),
                    ' -c "powershell' in event.deep_get("CommandLine", default=""),
                    " --command cmd" in event.deep_get("CommandLine", default=""),
                    " --command powershell" in event.deep_get("CommandLine", default=""),
                    " -c whoami" in event.deep_get("CommandLine", default=""),
                    " -c wscript" in event.deep_get("CommandLine", default=""),
                    " -c cscript" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
