import ipaddress


def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\rundll32.exe"),
            event.deep_get("Initiated", default="") == "true",
            not any(
                [
                    any(
                        [
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("127.0.0.0/8"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("10.0.0.0/8"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("172.16.0.0/12"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("192.168.0.0/16"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("169.254.0.0/16"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("::1/128"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("fe80::/10"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("fc00::/7"),
                        ]
                    ),
                    any(
                        [
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("20.0.0.0/8"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("51.103.0.0/16"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("51.104.0.0/16"),
                            ipaddress.ip_address(event.deep_get("DestinationIp", default=""))
                            in ipaddress.ip_network("51.105.0.0/16"),
                        ]
                    ),
                    event.deep_get("CommandLine", default="").endswith(
                        "\\system32\\PcaSvc.dll,PcaPatchSdbTask"
                    ),
                    event.deep_get("SourceHostname", default="").endswith(".internal.cloudapp.net"),
                    all(
                        [
                            event.deep_get("ParentImage", default="")
                            == "C:\\Windows\\System32\\svchost.exe",
                            event.deep_get("DestinationPort", default="") == 443,
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
