def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4616,
            not all(
                [
                    event.deep_get("ProcessName", default="")
                    == "C:\\Windows\\System32\\svchost.exe",
                    event.deep_get("SubjectUserSid", default="") == "S-1-5-19",
                ]
            ),
            not event.deep_get("ProcessName", default="")
            in [
                "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
                "C:\\Program Files (x86)\\VMware\\VMware Tools\\vmtoolsd.exe",
                "C:\\Windows\\System32\\VBoxService.exe",
                "C:\\Windows\\System32\\oobe\\msoobe.exe",
            ],
        ]
    ):
        return True
    return False
