def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\reg.exe"),
            any(
                [
                    "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths"
                    in event.deep_get("CommandLine", default=""),
                    "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
            "ADD " in event.deep_get("CommandLine", default=""),
            "/t " in event.deep_get("CommandLine", default=""),
            "REG_DWORD " in event.deep_get("CommandLine", default=""),
            "/v " in event.deep_get("CommandLine", default=""),
            "/d " in event.deep_get("CommandLine", default=""),
            "0" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
