def rule(event):
    if all(
        [
            "\\System\\" in event.deep_get("TargetObject", default=""),
            "ControlSet" in event.deep_get("TargetObject", default=""),
            "\\Services\\" in event.deep_get("TargetObject", default=""),
            event.deep_get("TargetObject", default="").endswith("\\Parameters\\ServiceDll"),
            not any(
                [
                    event.deep_get("Details", default="")
                    == "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll",
                    all(
                        [
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\system32\\lsass.exe",
                            event.deep_get("TargetObject", default="").endswith(
                                "\\Services\\NTDS\\Parameters\\ServiceDll"
                            ),
                            event.deep_get("Details", default="")
                            == "%%systemroot%%\\system32\\ntdsa.dll",
                        ]
                    ),
                    event.deep_get("Image", default="") == "C:\\Windows\\System32\\poqexec.exe",
                ]
            ),
            not all(
                [
                    event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("Details", default="") == "C:\\Windows\\System32\\STAgent.dll",
                ]
            ),
        ]
    ):
        return True
    return False
