def rule(event):
    if all(
        [
            "win32_Trustee" in event.deep_get("ScriptBlockText", default=""),
            "win32_Ace" in event.deep_get("ScriptBlockText", default=""),
            ".AccessMask" in event.deep_get("ScriptBlockText", default=""),
            ".AceType" in event.deep_get("ScriptBlockText", default=""),
            ".SetSecurityDescriptor" in event.deep_get("ScriptBlockText", default=""),
            any(
                [
                    "\\Lsa\\JD" in event.deep_get("ScriptBlockText", default=""),
                    "\\Lsa\\Skew1" in event.deep_get("ScriptBlockText", default=""),
                    "\\Lsa\\Data" in event.deep_get("ScriptBlockText", default=""),
                    "\\Lsa\\GBG" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
