import re


def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4697,
            re.match(
                r"^%systemroot%\\\\[a-zA-Z]{8}\\.exe$",
                event.deep_get("ServiceFileName", default=""),
            ),
            re.match(
                r"(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)",
                event.deep_get("ServiceName", default=""),
            ),
            event.deep_get("ServiceStartType", default="") == 3,
            event.deep_get("ServiceType", default="") == "0x10",
            not event.deep_get("ServiceName", default="") == "PSEXESVC",
        ]
    ):
        return True
    return False
