def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            any(
                [
                    any(
                        [
                            event.deep_get("GrantedAccess", default="").endswith("30"),
                            event.deep_get("GrantedAccess", default="").endswith("50"),
                            event.deep_get("GrantedAccess", default="").endswith("70"),
                            event.deep_get("GrantedAccess", default="").endswith("90"),
                            event.deep_get("GrantedAccess", default="").endswith("B0"),
                            event.deep_get("GrantedAccess", default="").endswith("D0"),
                            event.deep_get("GrantedAccess", default="").endswith("F0"),
                            event.deep_get("GrantedAccess", default="").endswith("18"),
                            event.deep_get("GrantedAccess", default="").endswith("38"),
                            event.deep_get("GrantedAccess", default="").endswith("58"),
                            event.deep_get("GrantedAccess", default="").endswith("78"),
                            event.deep_get("GrantedAccess", default="").endswith("98"),
                            event.deep_get("GrantedAccess", default="").endswith("B8"),
                            event.deep_get("GrantedAccess", default="").endswith("D8"),
                            event.deep_get("GrantedAccess", default="").endswith("F8"),
                            event.deep_get("GrantedAccess", default="").endswith("1A"),
                            event.deep_get("GrantedAccess", default="").endswith("3A"),
                            event.deep_get("GrantedAccess", default="").endswith("5A"),
                            event.deep_get("GrantedAccess", default="").endswith("7A"),
                            event.deep_get("GrantedAccess", default="").endswith("9A"),
                            event.deep_get("GrantedAccess", default="").endswith("BA"),
                            event.deep_get("GrantedAccess", default="").endswith("DA"),
                            event.deep_get("GrantedAccess", default="").endswith("FA"),
                            event.deep_get("GrantedAccess", default="").endswith("0x14C2"),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("GrantedAccess", default="").startswith("0x100000"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1418"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1438"),
                            event.deep_get("GrantedAccess", default="").startswith("0x143a"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1f0fff"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1f1fff"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1f2fff"),
                            event.deep_get("GrantedAccess", default="").startswith("0x1f3fff"),
                            event.deep_get("GrantedAccess", default="").startswith("0x40"),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    any(
                        [
                            ":\\Program Files (x86)\\" in event.deep_get("SourceImage", default=""),
                            ":\\Program Files\\" in event.deep_get("SourceImage", default=""),
                            ":\\Windows\\System32\\" in event.deep_get("SourceImage", default=""),
                            ":\\Windows\\SysWOW64\\" in event.deep_get("SourceImage", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\ProgramData\\Microsoft\\Windows Defender\\"
                            in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith("\\MsMpEng.exe"),
                        ]
                    ),
                    all(
                        [
                            "|?:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{"
                            in event.deep_get("CallTrace", default=""),
                            "}\\mpengine.dll+" in event.deep_get("CallTrace", default=""),
                            event.deep_get("GrantedAccess", default="") == "0x1418",
                        ]
                    ),
                    any(
                        [
                            "|c:\\program files\\windows defender\\mprtp.dll"
                            in event.deep_get("CallTrace", default=""),
                            "|c:\\program files\\windows defender\\MpClient.dll"
                            in event.deep_get("CallTrace", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("SourceImage", default="").endswith("\\explorer.exe"),
                            event.deep_get("GrantedAccess", default="") == "0x401",
                        ]
                    ),
                ]
            ),
            not any(
                [
                    event.deep_get("SourceImage", default="").endswith(
                        ":\\ProgramData\\MALWAREBYTES\\MBAMSERVICE\\ctlrupdate\\mbupdatr.exe"
                    ),
                    event.deep_get("SourceImage", default="").endswith(
                        "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe"
                    ),
                    all(
                        [
                            ":\\ProgramData\\VMware\\VMware Tools\\"
                            in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith("\\vmtoolsd.exe"),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\PROCEXP64.EXE"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\PROCEXP.EXE"
                                    ),
                                ]
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x40",
                        ]
                    ),
                    all(
                        [
                            event.deep_get("SourceImage", default="").endswith(
                                "\\MBAMInstallerService.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x40",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\aurora-agent-64.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\aurora-agent.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\thor.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\thor64.exe"
                                    ),
                                ]
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x40",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\handle.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\handle64.exe"
                                    ),
                                ]
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x40",
                        ]
                    ),
                    all(
                        [
                            event.deep_get("SourceImage", default="").endswith(
                                "\\AppData\\Local\\WebEx\\WebexHost.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x401",
                        ]
                    ),
                    "\\SteamLibrary\\steamapps\\" in event.deep_get("SourceImage", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
