def rule(event):
    if all(
        [
            any(
                [
                    "AddSecurityPackage" in event.deep_get("CommandLine", default=""),
                    "AdjustTokenPrivileges" in event.deep_get("CommandLine", default=""),
                    "Advapi32" in event.deep_get("CommandLine", default=""),
                    "CloseHandle" in event.deep_get("CommandLine", default=""),
                    "CreateProcessWithToken" in event.deep_get("CommandLine", default=""),
                    "CreatePseudoConsole" in event.deep_get("CommandLine", default=""),
                    "CreateRemoteThread" in event.deep_get("CommandLine", default=""),
                    "CreateThread" in event.deep_get("CommandLine", default=""),
                    "CreateUserThread" in event.deep_get("CommandLine", default=""),
                    "DangerousGetHandle" in event.deep_get("CommandLine", default=""),
                    "DuplicateTokenEx" in event.deep_get("CommandLine", default=""),
                    "EnumerateSecurityPackages" in event.deep_get("CommandLine", default=""),
                    "FreeHGlobal" in event.deep_get("CommandLine", default=""),
                    "FreeLibrary" in event.deep_get("CommandLine", default=""),
                    "GetDelegateForFunctionPointer" in event.deep_get("CommandLine", default=""),
                    "GetLogonSessionData" in event.deep_get("CommandLine", default=""),
                    "GetModuleHandle" in event.deep_get("CommandLine", default=""),
                    "GetProcAddress" in event.deep_get("CommandLine", default=""),
                    "GetProcessHandle" in event.deep_get("CommandLine", default=""),
                    "GetTokenInformation" in event.deep_get("CommandLine", default=""),
                    "ImpersonateLoggedOnUser" in event.deep_get("CommandLine", default=""),
                    "kernel32" in event.deep_get("CommandLine", default=""),
                    "LoadLibrary" in event.deep_get("CommandLine", default=""),
                    "memcpy" in event.deep_get("CommandLine", default=""),
                    "MiniDumpWriteDump" in event.deep_get("CommandLine", default=""),
                    "ntdll" in event.deep_get("CommandLine", default=""),
                    "OpenDesktop" in event.deep_get("CommandLine", default=""),
                    "OpenProcess" in event.deep_get("CommandLine", default=""),
                    "OpenProcessToken" in event.deep_get("CommandLine", default=""),
                    "OpenThreadToken" in event.deep_get("CommandLine", default=""),
                    "OpenWindowStation" in event.deep_get("CommandLine", default=""),
                    "PtrToString" in event.deep_get("CommandLine", default=""),
                    "QueueUserApc" in event.deep_get("CommandLine", default=""),
                    "ReadProcessMemory" in event.deep_get("CommandLine", default=""),
                    "RevertToSelf" in event.deep_get("CommandLine", default=""),
                    "RtlCreateUserThread" in event.deep_get("CommandLine", default=""),
                    "secur32" in event.deep_get("CommandLine", default=""),
                    "SetThreadToken" in event.deep_get("CommandLine", default=""),
                    "VirtualAlloc" in event.deep_get("CommandLine", default=""),
                    "VirtualFree" in event.deep_get("CommandLine", default=""),
                    "VirtualProtect" in event.deep_get("CommandLine", default=""),
                    "WaitForSingleObject" in event.deep_get("CommandLine", default=""),
                    "WriteInt32" in event.deep_get("CommandLine", default=""),
                    "WriteProcessMemory" in event.deep_get("CommandLine", default=""),
                    "ZeroFreeGlobalAllocUnicode" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not any(
                [
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\MpCmdRun.exe"),
                            "GetLoadLibraryWAddress32" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith(
                                "\\CompatTelRunner.exe"
                            ),
                            any(
                                [
                                    "FreeHGlobal" in event.deep_get("CommandLine", default=""),
                                    "PtrToString" in event.deep_get("CommandLine", default=""),
                                    "kernel32" in event.deep_get("CommandLine", default=""),
                                    "CloseHandle" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
