def rule(event):
    if any(
        [
            "Add-Exfiltration" in event.deep_get("CommandLine", default=""),
            "Add-Persistence" in event.deep_get("CommandLine", default=""),
            "Add-RegBackdoor" in event.deep_get("CommandLine", default=""),
            "Add-RemoteRegBackdoor" in event.deep_get("CommandLine", default=""),
            "Add-ScrnSaveBackdoor" in event.deep_get("CommandLine", default=""),
            "Check-VM" in event.deep_get("CommandLine", default=""),
            "ConvertTo-Rc4ByteStream" in event.deep_get("CommandLine", default=""),
            "Decrypt-Hash" in event.deep_get("CommandLine", default=""),
            "Disable-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Disable-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Do-Exfiltration" in event.deep_get("CommandLine", default=""),
            "Enable-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Enable-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Enabled-DuplicateToken" in event.deep_get("CommandLine", default=""),
            "Exploit-Jboss" in event.deep_get("CommandLine", default=""),
            "Export-ADR" in event.deep_get("CommandLine", default=""),
            "Export-ADRCSV" in event.deep_get("CommandLine", default=""),
            "Export-ADRExcel" in event.deep_get("CommandLine", default=""),
            "Export-ADRHTML" in event.deep_get("CommandLine", default=""),
            "Export-ADRJSON" in event.deep_get("CommandLine", default=""),
            "Export-ADRXML" in event.deep_get("CommandLine", default=""),
            "Find-Fruit" in event.deep_get("CommandLine", default=""),
            "Find-GPOLocation" in event.deep_get("CommandLine", default=""),
            "Find-TrustedDocuments" in event.deep_get("CommandLine", default=""),
            "Get-ADIDNS" in event.deep_get("CommandLine", default=""),
            "Get-ApplicationHost" in event.deep_get("CommandLine", default=""),
            "Get-ChromeDump" in event.deep_get("CommandLine", default=""),
            "Get-ClipboardContents" in event.deep_get("CommandLine", default=""),
            "Get-FoxDump" in event.deep_get("CommandLine", default=""),
            "Get-GPPPassword" in event.deep_get("CommandLine", default=""),
            "Get-IndexedItem" in event.deep_get("CommandLine", default=""),
            "Get-KerberosAESKey" in event.deep_get("CommandLine", default=""),
            "Get-Keystrokes" in event.deep_get("CommandLine", default=""),
            "Get-LSASecret" in event.deep_get("CommandLine", default=""),
            "Get-MachineAccountAttribute" in event.deep_get("CommandLine", default=""),
            "Get-MachineAccountCreator" in event.deep_get("CommandLine", default=""),
            "Get-PassHashes" in event.deep_get("CommandLine", default=""),
            "Get-RegAlwaysInstallElevated" in event.deep_get("CommandLine", default=""),
            "Get-RegAutoLogon" in event.deep_get("CommandLine", default=""),
            "Get-RemoteBootKey" in event.deep_get("CommandLine", default=""),
            "Get-RemoteCachedCredential" in event.deep_get("CommandLine", default=""),
            "Get-RemoteLocalAccountHash" in event.deep_get("CommandLine", default=""),
            "Get-RemoteLSAKey" in event.deep_get("CommandLine", default=""),
            "Get-RemoteMachineAccountHash" in event.deep_get("CommandLine", default=""),
            "Get-RemoteNLKMKey" in event.deep_get("CommandLine", default=""),
            "Get-RickAstley" in event.deep_get("CommandLine", default=""),
            "Get-Screenshot" in event.deep_get("CommandLine", default=""),
            "Get-SecurityPackages" in event.deep_get("CommandLine", default=""),
            "Get-ServiceFilePermission" in event.deep_get("CommandLine", default=""),
            "Get-ServicePermission" in event.deep_get("CommandLine", default=""),
            "Get-ServiceUnquoted" in event.deep_get("CommandLine", default=""),
            "Get-SiteListPassword" in event.deep_get("CommandLine", default=""),
            "Get-System" in event.deep_get("CommandLine", default=""),
            "Get-TimedScreenshot" in event.deep_get("CommandLine", default=""),
            "Get-UnattendedInstallFile" in event.deep_get("CommandLine", default=""),
            "Get-Unconstrained" in event.deep_get("CommandLine", default=""),
            "Get-USBKeystrokes" in event.deep_get("CommandLine", default=""),
            "Get-VaultCredential" in event.deep_get("CommandLine", default=""),
            "Get-VulnAutoRun" in event.deep_get("CommandLine", default=""),
            "Get-VulnSchTask" in event.deep_get("CommandLine", default=""),
            "Grant-ADIDNSPermission" in event.deep_get("CommandLine", default=""),
            "Gupt-Backdoor" in event.deep_get("CommandLine", default=""),
            "HTTP-Login" in event.deep_get("CommandLine", default=""),
            "Install-ServiceBinary" in event.deep_get("CommandLine", default=""),
            "Install-SSP" in event.deep_get("CommandLine", default=""),
            "Invoke-ACLScanner" in event.deep_get("CommandLine", default=""),
            "Invoke-ADRecon" in event.deep_get("CommandLine", default=""),
            "Invoke-ADSBackdoor" in event.deep_get("CommandLine", default=""),
            "Invoke-AgentSmith" in event.deep_get("CommandLine", default=""),
            "Invoke-AllChecks" in event.deep_get("CommandLine", default=""),
            "Invoke-ARPScan" in event.deep_get("CommandLine", default=""),
            "Invoke-AzureHound" in event.deep_get("CommandLine", default=""),
            "Invoke-BackdoorLNK" in event.deep_get("CommandLine", default=""),
            "Invoke-BadPotato" in event.deep_get("CommandLine", default=""),
            "Invoke-BetterSafetyKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-BypassUAC" in event.deep_get("CommandLine", default=""),
            "Invoke-Carbuncle" in event.deep_get("CommandLine", default=""),
            "Invoke-Certify" in event.deep_get("CommandLine", default=""),
            "Invoke-ConPtyShell" in event.deep_get("CommandLine", default=""),
            "Invoke-CredentialInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-DAFT" in event.deep_get("CommandLine", default=""),
            "Invoke-DCSync" in event.deep_get("CommandLine", default=""),
            "Invoke-DinvokeKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-DllInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-DNSUpdate" in event.deep_get("CommandLine", default=""),
            "Invoke-DNSExfiltrator" in event.deep_get("CommandLine", default=""),
            "Invoke-DomainPasswordSpray" in event.deep_get("CommandLine", default=""),
            "Invoke-DowngradeAccount" in event.deep_get("CommandLine", default=""),
            "Invoke-EgressCheck" in event.deep_get("CommandLine", default=""),
            "Invoke-Eyewitness" in event.deep_get("CommandLine", default=""),
            "Invoke-FakeLogonScreen" in event.deep_get("CommandLine", default=""),
            "Invoke-Farmer" in event.deep_get("CommandLine", default=""),
            "Invoke-Get-RBCD-Threaded" in event.deep_get("CommandLine", default=""),
            "Invoke-Gopher" in event.deep_get("CommandLine", default=""),
            "Invoke-Grouper" in event.deep_get("CommandLine", default=""),
            "Invoke-HandleKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-ImpersonatedProcess" in event.deep_get("CommandLine", default=""),
            "Invoke-ImpersonateSystem" in event.deep_get("CommandLine", default=""),
            "Invoke-InteractiveSystemPowerShell" in event.deep_get("CommandLine", default=""),
            "Invoke-Internalmonologue" in event.deep_get("CommandLine", default=""),
            "Invoke-Inveigh" in event.deep_get("CommandLine", default=""),
            "Invoke-InveighRelay" in event.deep_get("CommandLine", default=""),
            "Invoke-KrbRelay" in event.deep_get("CommandLine", default=""),
            "Invoke-LdapSignCheck" in event.deep_get("CommandLine", default=""),
            "Invoke-Lockless" in event.deep_get("CommandLine", default=""),
            "Invoke-MalSCCM" in event.deep_get("CommandLine", default=""),
            "Invoke-Mimikatz" in event.deep_get("CommandLine", default=""),
            "Invoke-Mimikittenz" in event.deep_get("CommandLine", default=""),
            "Invoke-MITM6" in event.deep_get("CommandLine", default=""),
            "Invoke-NanoDump" in event.deep_get("CommandLine", default=""),
            "Invoke-NetRipper" in event.deep_get("CommandLine", default=""),
            "Invoke-Nightmare" in event.deep_get("CommandLine", default=""),
            "Invoke-NinjaCopy" in event.deep_get("CommandLine", default=""),
            "Invoke-OfficeScrape" in event.deep_get("CommandLine", default=""),
            "Invoke-OxidResolver" in event.deep_get("CommandLine", default=""),
            "Invoke-P0wnedshell" in event.deep_get("CommandLine", default=""),
            "Invoke-Paranoia" in event.deep_get("CommandLine", default=""),
            "Invoke-PortScan" in event.deep_get("CommandLine", default=""),
            "Invoke-PoshRatHttp" in event.deep_get("CommandLine", default=""),
            "Invoke-PostExfil" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerDump" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerDPAPI" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerShellTCP" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerShellWMI" in event.deep_get("CommandLine", default=""),
            "Invoke-PPLDump" in event.deep_get("CommandLine", default=""),
            "Invoke-PsExec" in event.deep_get("CommandLine", default=""),
            "Invoke-PSInject" in event.deep_get("CommandLine", default=""),
            "Invoke-PsUaCme" in event.deep_get("CommandLine", default=""),
            "Invoke-ReflectivePEInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-ReverseDNSLookup" in event.deep_get("CommandLine", default=""),
            "Invoke-Rubeus" in event.deep_get("CommandLine", default=""),
            "Invoke-RunAs" in event.deep_get("CommandLine", default=""),
            "Invoke-SafetyKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-SauronEye" in event.deep_get("CommandLine", default=""),
            "Invoke-SCShell" in event.deep_get("CommandLine", default=""),
            "Invoke-Seatbelt" in event.deep_get("CommandLine", default=""),
            "Invoke-ServiceAbuse" in event.deep_get("CommandLine", default=""),
            "Invoke-ShadowSpray" in event.deep_get("CommandLine", default=""),
            "Invoke-Sharp" in event.deep_get("CommandLine", default=""),
            "Invoke-Shellcode" in event.deep_get("CommandLine", default=""),
            "Invoke-SMBScanner" in event.deep_get("CommandLine", default=""),
            "Invoke-Snaffler" in event.deep_get("CommandLine", default=""),
            "Invoke-Spoolsample" in event.deep_get("CommandLine", default=""),
            "Invoke-SpraySinglePassword" in event.deep_get("CommandLine", default=""),
            "Invoke-SSHCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-StandIn" in event.deep_get("CommandLine", default=""),
            "Invoke-StickyNotesExtract" in event.deep_get("CommandLine", default=""),
            "Invoke-SystemCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-Tasksbackdoor" in event.deep_get("CommandLine", default=""),
            "Invoke-Tater" in event.deep_get("CommandLine", default=""),
            "Invoke-Thunderfox" in event.deep_get("CommandLine", default=""),
            "Invoke-ThunderStruck" in event.deep_get("CommandLine", default=""),
            "Invoke-TokenManipulation" in event.deep_get("CommandLine", default=""),
            "Invoke-Tokenvator" in event.deep_get("CommandLine", default=""),
            "Invoke-TotalExec" in event.deep_get("CommandLine", default=""),
            "Invoke-UrbanBishop" in event.deep_get("CommandLine", default=""),
            "Invoke-UserHunter" in event.deep_get("CommandLine", default=""),
            "Invoke-VoiceTroll" in event.deep_get("CommandLine", default=""),
            "Invoke-Whisker" in event.deep_get("CommandLine", default=""),
            "Invoke-WinEnum" in event.deep_get("CommandLine", default=""),
            "Invoke-winPEAS" in event.deep_get("CommandLine", default=""),
            "Invoke-WireTap" in event.deep_get("CommandLine", default=""),
            "Invoke-WmiCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-WMIExec" in event.deep_get("CommandLine", default=""),
            "Invoke-WScriptBypassUAC" in event.deep_get("CommandLine", default=""),
            "Invoke-Zerologon" in event.deep_get("CommandLine", default=""),
            "MailRaider" in event.deep_get("CommandLine", default=""),
            "New-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "New-DNSRecordArray" in event.deep_get("CommandLine", default=""),
            "New-HoneyHash" in event.deep_get("CommandLine", default=""),
            "New-InMemoryModule" in event.deep_get("CommandLine", default=""),
            "New-MachineAccount" in event.deep_get("CommandLine", default=""),
            "New-SOASerialNumberArray" in event.deep_get("CommandLine", default=""),
            "Out-Minidump" in event.deep_get("CommandLine", default=""),
            "Port-Scan" in event.deep_get("CommandLine", default=""),
            "PowerBreach" in event.deep_get("CommandLine", default=""),
            "powercat " in event.deep_get("CommandLine", default=""),
            "PowerUp" in event.deep_get("CommandLine", default=""),
            "PowerView" in event.deep_get("CommandLine", default=""),
            "Remove-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Remove-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Remove-Update" in event.deep_get("CommandLine", default=""),
            "Rename-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Revoke-ADIDNSPermission" in event.deep_get("CommandLine", default=""),
            "Set-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Set-MacAttribute" in event.deep_get("CommandLine", default=""),
            "Set-MachineAccountAttribute" in event.deep_get("CommandLine", default=""),
            "Set-Wallpaper" in event.deep_get("CommandLine", default=""),
            "Show-TargetScreen" in event.deep_get("CommandLine", default=""),
            "Start-CaptureServer" in event.deep_get("CommandLine", default=""),
            "Start-Dnscat2" in event.deep_get("CommandLine", default=""),
            "Start-WebcamRecorder" in event.deep_get("CommandLine", default=""),
            "Veeam-Get-Creds" in event.deep_get("CommandLine", default=""),
            "VolumeShadowCopyTools" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
