def rule(event):
    if all(
        [
            "System.Diagnostics.Process" in event.deep_get("ScriptBlockText", default=""),
            "Stop-Computer" in event.deep_get("ScriptBlockText", default=""),
            "Restart-Computer" in event.deep_get("ScriptBlockText", default=""),
            "Exception in execution" in event.deep_get("ScriptBlockText", default=""),
            "$cmdargs" in event.deep_get("ScriptBlockText", default=""),
            "Close-Dnscat2Tunnel" in event.deep_get("ScriptBlockText", default=""),
            "set type=$LookupType`nserver" in event.deep_get("ScriptBlockText", default=""),
            "$Command | nslookup 2>&1 | Out-String"
            in event.deep_get("ScriptBlockText", default=""),
            "New-RandomDNSField" in event.deep_get("ScriptBlockText", default=""),
            "[Convert]::ToString($SYNOptions, 16)" in event.deep_get("ScriptBlockText", default=""),
            "$Session.Dead = $True" in event.deep_get("ScriptBlockText", default=""),
            '$Session["Driver"] -eq' in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
