def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            event.deep_get("GrantedAccess", default="") == "0x1440",
            event.deep_get("CallTrace", default="").startswith("C:\\Windows\\System32\\ntdll.dll+"),
            "|UNKNOWN(" in event.deep_get("CallTrace", default=""),
            event.deep_get("CallTrace", default="").endswith(")"),
        ]
    ):
        return True
    return False
