def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            "reg " in event.deep_get("CommandLine", default=""),
                            "add" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "powershell" in event.deep_get("CommandLine", default=""),
                            "set-itemproperty" in event.deep_get("CommandLine", default=""),
                            " sp " in event.deep_get("CommandLine", default=""),
                            "new-itemproperty" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            event.deep_get("IntegrityLevel", default="") in ["Medium", "S-1-16-8192"],
            "ControlSet" in event.deep_get("CommandLine", default=""),
            "Services" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "ImagePath" in event.deep_get("CommandLine", default=""),
                    "FailureCommand" in event.deep_get("CommandLine", default=""),
                    "ServiceDLL" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
