def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            "dump" in event.deep_get("SourceImage", default=""),
            any(
                [
                    event.deep_get("GrantedAccess", default="").endswith("10"),
                    event.deep_get("GrantedAccess", default="").endswith("30"),
                    event.deep_get("GrantedAccess", default="").endswith("50"),
                    event.deep_get("GrantedAccess", default="").endswith("70"),
                    event.deep_get("GrantedAccess", default="").endswith("90"),
                    event.deep_get("GrantedAccess", default="").endswith("B0"),
                    event.deep_get("GrantedAccess", default="").endswith("D0"),
                    event.deep_get("GrantedAccess", default="").endswith("F0"),
                    event.deep_get("GrantedAccess", default="").endswith("18"),
                    event.deep_get("GrantedAccess", default="").endswith("38"),
                    event.deep_get("GrantedAccess", default="").endswith("58"),
                    event.deep_get("GrantedAccess", default="").endswith("78"),
                    event.deep_get("GrantedAccess", default="").endswith("98"),
                    event.deep_get("GrantedAccess", default="").endswith("B8"),
                    event.deep_get("GrantedAccess", default="").endswith("D8"),
                    event.deep_get("GrantedAccess", default="").endswith("F8"),
                    event.deep_get("GrantedAccess", default="").endswith("1A"),
                    event.deep_get("GrantedAccess", default="").endswith("3A"),
                    event.deep_get("GrantedAccess", default="").endswith("5A"),
                    event.deep_get("GrantedAccess", default="").endswith("7A"),
                    event.deep_get("GrantedAccess", default="").endswith("9A"),
                    event.deep_get("GrantedAccess", default="").endswith("BA"),
                    event.deep_get("GrantedAccess", default="").endswith("DA"),
                    event.deep_get("GrantedAccess", default="").endswith("FA"),
                    event.deep_get("GrantedAccess", default="").endswith("0x14C2"),
                    event.deep_get("GrantedAccess", default="").endswith("FF"),
                ]
            ),
        ]
    ):
        return True
    return False
