def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("TargetObject", default="").endswith(
                        "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy"
                    ),
                    event.deep_get("TargetObject", default="").endswith(
                        "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy"
                    ),
                ]
            ),
            any(
                [
                    "Bypass" in event.deep_get("Details", default=""),
                    "Unrestricted" in event.deep_get("Details", default=""),
                ]
            ),
            not any(
                [
                    ":\\Windows\\System32\\" in event.deep_get("Image", default=""),
                    ":\\Windows\\SysWOW64\\" in event.deep_get("Image", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
