def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            event.deep_get("SourceImage", default="").endswith(
                ":\\Windows\\system32\\wsmprovhost.exe"
            ),
            not event.deep_get("GrantedAccess", default="") == "0x80000000",
        ]
    ):
        return True
    return False
