def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\sc.exe"),
            any(
                [
                    "create" in event.deep_get("CommandLine", default=""),
                    "config" in event.deep_get("CommandLine", default=""),
                ]
            ),
            "binPath" in event.deep_get("CommandLine", default=""),
            "type" in event.deep_get("CommandLine", default=""),
            "kernel" in event.deep_get("CommandLine", default=""),
            not any(
                [
                    all(
                        [
                            "create netprotection_network_filter"
                            in event.deep_get("CommandLine", default=""),
                            "type= kernel start= " in event.deep_get("CommandLine", default=""),
                            "binPath= System32\\drivers\\netprotection_network_filter"
                            in event.deep_get("CommandLine", default=""),
                            "DisplayName= netprotection_network_filter"
                            in event.deep_get("CommandLine", default=""),
                            "group= PNP_TDI tag= yes" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "create avelam binpath=C:\\Windows\\system32\\drivers\\avelam.sys"
                            in event.deep_get("CommandLine", default=""),
                            "type=kernel start=boot error=critical group=Early-Launch"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
