def rule(event):
    if all(
        [
            "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\"
            in event.deep_get("TargetObject", default=""),
            event.deep_get("TargetObject", default="").endswith("\\Command"),
            any(
                [
                    ".bat" in event.deep_get("Details", default=""),
                    ".bin" in event.deep_get("Details", default=""),
                    ".cmd" in event.deep_get("Details", default=""),
                    ".dat" in event.deep_get("Details", default=""),
                    ".dll" in event.deep_get("Details", default=""),
                    ".exe" in event.deep_get("Details", default=""),
                    ".hta" in event.deep_get("Details", default=""),
                    ".jar" in event.deep_get("Details", default=""),
                    ".js" in event.deep_get("Details", default=""),
                    ".msi" in event.deep_get("Details", default=""),
                    ".ps" in event.deep_get("Details", default=""),
                    ".sh" in event.deep_get("Details", default=""),
                    ".vb" in event.deep_get("Details", default=""),
                ]
            ),
            not any(
                [
                    "\\system32\\CompatTelRunner.exe" in event.deep_get("Details", default=""),
                    "\\system32\\DeviceCensus.exe" in event.deep_get("Details", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
