def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            any(
                                [
                                    "\\Control\\Terminal Server\\"
                                    in event.deep_get("TargetObject", default=""),
                                    "\\Windows NT\\Terminal Services\\"
                                    in event.deep_get("TargetObject", default=""),
                                ]
                            ),
                            event.deep_get("TargetObject", default="").endswith("\\Shadow"),
                            event.deep_get("Details", default="")
                            in [
                                "DWORD (0x00000001)",
                                "DWORD (0x00000002)",
                                "DWORD (0x00000003)",
                                "DWORD (0x00000004)",
                            ],
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    "\\Control\\Terminal Server\\"
                                    in event.deep_get("TargetObject", default=""),
                                    "\\Windows NT\\Terminal Services\\"
                                    in event.deep_get("TargetObject", default=""),
                                ]
                            ),
                            any(
                                [
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableRemoteDesktopAntiAlias"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableSecuritySettings"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\fAllowUnsolicited"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\fAllowUnsolicitedFullControl"
                                    ),
                                ]
                            ),
                            event.deep_get("Details", default="") == "DWORD (0x00000001)",
                        ]
                    ),
                    any(
                        [
                            "\\Control\\Terminal Server\\InitialProgram"
                            in event.deep_get("TargetObject", default=""),
                            "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram"
                            in event.deep_get("TargetObject", default=""),
                            "\\services\\TermService\\Parameters\\ServiceDll"
                            in event.deep_get("TargetObject", default=""),
                            "\\Terminal Server\\WinStations\\RDP-Tcp\\SecurityLayer"
                            in event.deep_get("TargetObject", default=""),
                            "\\Windows NT\\Terminal Services\\InitialProgram"
                            in event.deep_get("TargetObject", default=""),
                        ]
                    ),
                ]
            ),
            not all(
                [
                    event.deep_get("TargetObject", default="").endswith("\\SecurityLayer"),
                    event.deep_get("Details", default="") == "DWORD (0x00000002)",
                ]
            ),
        ]
    ):
        return True
    return False
