def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\conhost.exe"),
            not any(
                [
                    event.deep_get("Image", default="").endswith(
                        ":\\Windows\\System32\\conhost.exe"
                    ),
                    event.deep_get("Image", default="") == "",
                    event.deep_get("Image", default="") == "",
                ]
            ),
            not event.deep_get("Provider_Name", default="") == "SystemTraceProvider-Process",
        ]
    ):
        return True
    return False
