def rule(event):
    if all(
        [
            event.deep_get("TargetObject", default="").endswith(
                "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)"
            ),
            not event.deep_get("Details", default="") == "%windir%\\system32\\amsi.dll",
        ]
    ):
        return True
    return False
