def rule(event):
    if any(
        [
            "WMImplant" in event.deep_get("ScriptBlockText", default=""),
            " change_user " in event.deep_get("ScriptBlockText", default=""),
            " gen_cli " in event.deep_get("ScriptBlockText", default=""),
            " command_exec " in event.deep_get("ScriptBlockText", default=""),
            " disable_wdigest " in event.deep_get("ScriptBlockText", default=""),
            " disable_winrm " in event.deep_get("ScriptBlockText", default=""),
            " enable_wdigest " in event.deep_get("ScriptBlockText", default=""),
            " enable_winrm " in event.deep_get("ScriptBlockText", default=""),
            " registry_mod " in event.deep_get("ScriptBlockText", default=""),
            " remote_posh " in event.deep_get("ScriptBlockText", default=""),
            " sched_job " in event.deep_get("ScriptBlockText", default=""),
            " service_mod " in event.deep_get("ScriptBlockText", default=""),
            " process_kill " in event.deep_get("ScriptBlockText", default=""),
            " active_users " in event.deep_get("ScriptBlockText", default=""),
            " basic_info " in event.deep_get("ScriptBlockText", default=""),
            " power_off " in event.deep_get("ScriptBlockText", default=""),
            " vacant_system " in event.deep_get("ScriptBlockText", default=""),
            " logon_events " in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
