import re


def rule(event):
    if all(
        [
            re.match(
                r"^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$",
                event.deep_get("CallTrace", default=""),
            ),
            event.deep_get("GrantedAccess", default="") in ["0x1028", "0x1fffff"],
        ]
    ):
        return True
    return False
