def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ParentImage", default="").endswith("\\WindowsTerminal.exe"),
                    event.deep_get("ParentImage", default="").endswith("\\wt.exe"),
                ]
            ),
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                            event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                            event.deep_get("Image", default="").endswith("\\certutil.exe"),
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                            event.deep_get("Image", default="").endswith("\\csc.exe"),
                        ]
                    ),
                    any(
                        [
                            "C:\\Users\\Public\\" in event.deep_get("Image", default=""),
                            "\\Downloads\\" in event.deep_get("Image", default=""),
                            "\\Desktop\\" in event.deep_get("Image", default=""),
                            "\\AppData\\Local\\Temp\\" in event.deep_get("Image", default=""),
                            "\\Windows\\TEMP\\" in event.deep_get("Image", default=""),
                        ]
                    ),
                    any(
                        [
                            " iex " in event.deep_get("CommandLine", default=""),
                            " icm" in event.deep_get("CommandLine", default=""),
                            "Invoke-" in event.deep_get("CommandLine", default=""),
                            "Import-Module " in event.deep_get("CommandLine", default=""),
                            "ipmo " in event.deep_get("CommandLine", default=""),
                            "DownloadString(" in event.deep_get("CommandLine", default=""),
                            " /c " in event.deep_get("CommandLine", default=""),
                            " /k " in event.deep_get("CommandLine", default=""),
                            " /r " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    all(
                        [
                            "Import-Module" in event.deep_get("CommandLine", default=""),
                            "Microsoft.VisualStudio.DevShell.dll"
                            in event.deep_get("CommandLine", default=""),
                            "Enter-VsDevShell" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_"
                            in event.deep_get("CommandLine", default=""),
                            "\\LocalState\\settings.json"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "C:\\Program Files\\Microsoft Visual Studio\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Common7\\Tools\\VsDevCmd.bat"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
