def rule(event):
    if all(
        [
            any(
                [
                    "AUTHORI" in event.deep_get("ParentUser", default=""),
                    "AUTORI" in event.deep_get("ParentUser", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("ParentUser", default="").endswith("\\NETWORK SERVICE"),
                    event.deep_get("ParentUser", default="").endswith("\\LOCAL SERVICE"),
                ]
            ),
            any(
                [
                    "AUTHORI" in event.deep_get("User", default=""),
                    "AUTORI" in event.deep_get("User", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("User", default="").endswith("\\SYSTEM"),
                    event.deep_get("User", default="").endswith("\\Système"),
                    event.deep_get("User", default="").endswith("\\СИСТЕМА"),
                ]
            ),
            event.deep_get("IntegrityLevel", default="") in ["System", "S-1-16-16384"],
            not all(
                [
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    "DavSetCookie" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
