def rule(event):
    if all(
        [
            "\\SYSTEM\\CurrentControlSet\\Control" in event.deep_get("TargetObject", default=""),
            any(
                [
                    "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram"
                    in event.deep_get("TargetObject", default=""),
                    "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms"
                    in event.deep_get("TargetObject", default=""),
                    "\\SecurityProviders\\SecurityProviders"
                    in event.deep_get("TargetObject", default=""),
                    "\\SafeBoot\\AlternateShell" in event.deep_get("TargetObject", default=""),
                    "\\Print\\Providers" in event.deep_get("TargetObject", default=""),
                    "\\Print\\Monitors" in event.deep_get("TargetObject", default=""),
                    "\\NetworkProvider\\Order" in event.deep_get("TargetObject", default=""),
                    "\\Lsa\\Notification Packages" in event.deep_get("TargetObject", default=""),
                    "\\Lsa\\Authentication Packages" in event.deep_get("TargetObject", default=""),
                    "\\BootVerificationProgram\\ImagePath"
                    in event.deep_get("TargetObject", default=""),
                ]
            ),
            not any(
                [
                    event.deep_get("Details", default="") == "(Empty)",
                    all(
                        [
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\System32\\spoolsv.exe",
                            "\\Print\\Monitors\\CutePDF Writer Monitor"
                            in event.deep_get("TargetObject", default=""),
                            event.deep_get("Details", default="")
                            in ["cpwmon64_v40.dll", "CutePDF Writer"],
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\System32\\spoolsv.exe",
                            "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_"
                            in event.deep_get("TargetObject", default=""),
                            any(
                                [
                                    "AUTHORI" in event.deep_get("User", default=""),
                                    "AUTORI" in event.deep_get("User", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\System32\\poqexec.exe",
                            event.deep_get("TargetObject", default="").endswith(
                                "\\NetworkProvider\\Order\\ProviderOrder"
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\System32\\spoolsv.exe",
                            event.deep_get("TargetObject", default="").endswith(
                                "\\Print\\Monitors\\MONVNC\\Driver"
                            ),
                            event.deep_get("Details", default="") == "VNCpm.dll",
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
