def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\svchost.exe"),
            event.deep_get("GrantedAccess", default="") == "0x143a",
            not any(
                [
                    event.deep_get("SourceImage", default="").endswith("\\services.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\msiexec.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
