def rule(event):
    if any(
        [
            any(
                [
                    "DumpCreds" in event.deep_get("CommandLine", default=""),
                    "mimikatz" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "::aadcookie" in event.deep_get("CommandLine", default=""),
                    "::detours" in event.deep_get("CommandLine", default=""),
                    "::memssp" in event.deep_get("CommandLine", default=""),
                    "::mflt" in event.deep_get("CommandLine", default=""),
                    "::ncroutemon" in event.deep_get("CommandLine", default=""),
                    "::ngcsign" in event.deep_get("CommandLine", default=""),
                    "::printnightmare" in event.deep_get("CommandLine", default=""),
                    "::skeleton" in event.deep_get("CommandLine", default=""),
                    "::preshutdown" in event.deep_get("CommandLine", default=""),
                    "::mstsc" in event.deep_get("CommandLine", default=""),
                    "::multirdp" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "rpc::" in event.deep_get("CommandLine", default=""),
                    "token::" in event.deep_get("CommandLine", default=""),
                    "crypto::" in event.deep_get("CommandLine", default=""),
                    "dpapi::" in event.deep_get("CommandLine", default=""),
                    "sekurlsa::" in event.deep_get("CommandLine", default=""),
                    "kerberos::" in event.deep_get("CommandLine", default=""),
                    "lsadump::" in event.deep_get("CommandLine", default=""),
                    "privilege::" in event.deep_get("CommandLine", default=""),
                    "process::" in event.deep_get("CommandLine", default=""),
                    "vault::" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
