def rule(event):
    if any(
        [
            "Add-ConstrainedDelegationBackdoor" in event.deep_get("ScriptBlockText", default=""),
            "Copy-VSS" in event.deep_get("ScriptBlockText", default=""),
            "Create-MultipleSessions" in event.deep_get("ScriptBlockText", default=""),
            "DataToEncode" in event.deep_get("ScriptBlockText", default=""),
            "DNS_TXT_Pwnage" in event.deep_get("ScriptBlockText", default=""),
            "Do-Exfiltration-Dns" in event.deep_get("ScriptBlockText", default=""),
            "Download_Execute" in event.deep_get("ScriptBlockText", default=""),
            "Download-Execute-PS" in event.deep_get("ScriptBlockText", default=""),
            "DownloadAndExtractFromRemoteRegistry" in event.deep_get("ScriptBlockText", default=""),
            "DumpCerts" in event.deep_get("ScriptBlockText", default=""),
            "DumpCreds" in event.deep_get("ScriptBlockText", default=""),
            "DumpHashes" in event.deep_get("ScriptBlockText", default=""),
            "Enable-DuplicateToken" in event.deep_get("ScriptBlockText", default=""),
            "Enable-Duplication" in event.deep_get("ScriptBlockText", default=""),
            "Execute-Command-MSSQL" in event.deep_get("ScriptBlockText", default=""),
            "Execute-DNSTXT-Code" in event.deep_get("ScriptBlockText", default=""),
            "Execute-OnTime" in event.deep_get("ScriptBlockText", default=""),
            "ExetoText" in event.deep_get("ScriptBlockText", default=""),
            "exfill" in event.deep_get("ScriptBlockText", default=""),
            "ExfilOption" in event.deep_get("ScriptBlockText", default=""),
            "FakeDC" in event.deep_get("ScriptBlockText", default=""),
            "FireBuster" in event.deep_get("ScriptBlockText", default=""),
            "FireListener" in event.deep_get("ScriptBlockText", default=""),
            "Get-Information " in event.deep_get("ScriptBlockText", default=""),
            "Get-PassHints" in event.deep_get("ScriptBlockText", default=""),
            "Get-Web-Credentials" in event.deep_get("ScriptBlockText", default=""),
            "Get-WebCredentials" in event.deep_get("ScriptBlockText", default=""),
            "Get-WLAN-Keys" in event.deep_get("ScriptBlockText", default=""),
            "HTTP-Backdoor" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-AmsiBypass" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-BruteForce" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-CredentialsPhish" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Decode" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Encode" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Interceptor" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-JSRatRegsvr" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-JSRatRundll" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-MimikatzWDigestDowngrade" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-NetworkRelay" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PowerShellIcmp" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PowerShellUdp" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Prasadhak" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PSGcat" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PsGcatAgent" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-SessionGopher" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-SSIDExfil" in event.deep_get("ScriptBlockText", default=""),
            "LoggedKeys" in event.deep_get("ScriptBlockText", default=""),
            "Nishang" in event.deep_get("ScriptBlockText", default=""),
            "NotAllNameSpaces" in event.deep_get("ScriptBlockText", default=""),
            "Out-CHM" in event.deep_get("ScriptBlockText", default=""),
            "OUT-DNSTXT" in event.deep_get("ScriptBlockText", default=""),
            "Out-HTA" in event.deep_get("ScriptBlockText", default=""),
            "Out-RundllCommand" in event.deep_get("ScriptBlockText", default=""),
            "Out-SCF" in event.deep_get("ScriptBlockText", default=""),
            "Out-SCT" in event.deep_get("ScriptBlockText", default=""),
            "Out-Shortcut" in event.deep_get("ScriptBlockText", default=""),
            "Out-WebQuery" in event.deep_get("ScriptBlockText", default=""),
            "Out-Word" in event.deep_get("ScriptBlockText", default=""),
            "Parse_Keys" in event.deep_get("ScriptBlockText", default=""),
            "Password-List" in event.deep_get("ScriptBlockText", default=""),
            "Powerpreter" in event.deep_get("ScriptBlockText", default=""),
            "Remove-Persistence" in event.deep_get("ScriptBlockText", default=""),
            "Remove-PoshRat" in event.deep_get("ScriptBlockText", default=""),
            "Remove-Update" in event.deep_get("ScriptBlockText", default=""),
            "Run-EXEonRemote" in event.deep_get("ScriptBlockText", default=""),
            "Set-DCShadowPermissions" in event.deep_get("ScriptBlockText", default=""),
            "Set-RemotePSRemoting" in event.deep_get("ScriptBlockText", default=""),
            "Set-RemoteWMI" in event.deep_get("ScriptBlockText", default=""),
            "Shellcode32" in event.deep_get("ScriptBlockText", default=""),
            "Shellcode64" in event.deep_get("ScriptBlockText", default=""),
            "StringtoBase64" in event.deep_get("ScriptBlockText", default=""),
            "TexttoExe" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
