def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            event.deep_get("EventID", default="") == 4656,
                            event.deep_get("ObjectName", default="").endswith("\\lsass.exe"),
                            any(
                                [
                                    "0x40" in event.deep_get("AccessMask", default=""),
                                    "0x1400" in event.deep_get("AccessMask", default=""),
                                    "0x100000" in event.deep_get("AccessMask", default=""),
                                    "0x1410" in event.deep_get("AccessMask", default=""),
                                    "0x1010" in event.deep_get("AccessMask", default=""),
                                    "0x1438" in event.deep_get("AccessMask", default=""),
                                    "0x143a" in event.deep_get("AccessMask", default=""),
                                    "0x1418" in event.deep_get("AccessMask", default=""),
                                    "0x1f0fff" in event.deep_get("AccessMask", default=""),
                                    "0x1f1fff" in event.deep_get("AccessMask", default=""),
                                    "0x1f2fff" in event.deep_get("AccessMask", default=""),
                                    "0x1f3fff" in event.deep_get("AccessMask", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("EventID", default="") == 4663,
                            event.deep_get("ObjectName", default="").endswith("\\lsass.exe"),
                            any(
                                [
                                    "4484" in event.deep_get("AccessList", default=""),
                                    "4416" in event.deep_get("AccessList", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\csrss.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\GamingServices.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith("\\lsm.exe"),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\MicrosoftEdgeUpdate.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\minionhost.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith("\\MRT.exe"),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\MsMpEng.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\perfmon.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\procexp.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\procexp64.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\svchost.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\taskmgr.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\thor.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\thor64.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\vmtoolsd.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\VsTskMgr.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\wininit.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "\\wmiprvse.exe"
                                    ),
                                    event.deep_get("ProcessName", default="").endswith(
                                        "RtkAudUService64"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    ":\\Program Files (x86)\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\Program Files\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\Windows\\SysNative\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\Windows\\System32\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\Windows\\SysWow64\\"
                                    in event.deep_get("ProcessName", default=""),
                                    ":\\Windows\\Temp\\asgard2-agent\\"
                                    in event.deep_get("ProcessName", default=""),
                                ]
                            ),
                        ]
                    ),
                    ":\\Program Files" in event.deep_get("ProcessName", default=""),
                    any(
                        [
                            event.deep_get("ProcessName", default="").endswith(
                                ":\\Windows\\System32\\taskhostw.exe"
                            ),
                            event.deep_get("ProcessName", default="").endswith(
                                ":\\Windows\\System32\\msiexec.exe"
                            ),
                            event.deep_get("ProcessName", default="").endswith(
                                ":\\Windows\\CCM\\CcmExec.exe"
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ProcessName", default="").endswith(
                                ":\\Windows\\Sysmon64.exe"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\Windows\\Temp\\asgard2-agent-sc\\aurora\\"
                            in event.deep_get("ProcessName", default=""),
                            event.deep_get("ProcessName", default="").endswith(
                                "\\aurora-agent-64.exe"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ProcessName", default="").endswith(
                                "\\x64\\SCENARIOENGINE.EXE"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\Users\\" in event.deep_get("ProcessName", default=""),
                            "\\AppData\\Local\\Temp\\is-"
                            in event.deep_get("ProcessName", default=""),
                            event.deep_get("ProcessName", default="").endswith(
                                "\\avira_system_speedup.tmp"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\Windows\\Temp\\" in event.deep_get("ProcessName", default=""),
                            event.deep_get("ProcessName", default="").endswith(
                                "\\avira_speedup_setup_update.tmp"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ProcessName", default="").endswith(
                                ":\\Windows\\System32\\snmp.exe"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\Windows\\SystemTemp\\" in event.deep_get("ProcessName", default=""),
                            event.deep_get("ProcessName", default="").endswith(
                                "\\GoogleUpdate.exe"
                            ),
                            "%%4484" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                ]
            ),
            not all(
                [
                    any(
                        [
                            event.deep_get("ProcessName", default="").endswith("\\procmon64.exe"),
                            event.deep_get("ProcessName", default="").endswith("\\procmon.exe"),
                        ]
                    ),
                    "%%4484" in event.deep_get("AccessList", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
