def rule(event):
    if all(
        [
            any(
                [
                    "Add-Exfiltration" in event.deep_get("ScriptBlockText", default=""),
                    "Add-Persistence" in event.deep_get("ScriptBlockText", default=""),
                    "Add-RegBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Add-RemoteRegBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Add-ScrnSaveBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "ConvertTo-Rc4ByteStream" in event.deep_get("ScriptBlockText", default=""),
                    "Decrypt-Hash" in event.deep_get("ScriptBlockText", default=""),
                    "Disable-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Do-Exfiltration" in event.deep_get("ScriptBlockText", default=""),
                    "Enable-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Enabled-DuplicateToken" in event.deep_get("ScriptBlockText", default=""),
                    "Exploit-Jboss" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRCSV" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRExcel" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRHTML" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRJSON" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRXML" in event.deep_get("ScriptBlockText", default=""),
                    "Find-Fruit" in event.deep_get("ScriptBlockText", default=""),
                    "Find-GPOLocation" in event.deep_get("ScriptBlockText", default=""),
                    "Find-TrustedDocuments" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeAttribute" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeOwner" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeTombstoned" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSZone" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ChromeDump" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ClipboardContents" in event.deep_get("ScriptBlockText", default=""),
                    "Get-FoxDump" in event.deep_get("ScriptBlockText", default=""),
                    "Get-GPPPassword" in event.deep_get("ScriptBlockText", default=""),
                    "Get-IndexedItem" in event.deep_get("ScriptBlockText", default=""),
                    "Get-KerberosAESKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-Keystrokes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-LSASecret" in event.deep_get("ScriptBlockText", default=""),
                    "Get-PassHashes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RegAlwaysInstallElevated" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RegAutoLogon" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteBootKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteCachedCredential" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteLocalAccountHash" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteLSAKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteMachineAccountHash" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteNLKMKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RickAstley" in event.deep_get("ScriptBlockText", default=""),
                    "Get-SecurityPackages" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServiceFilePermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServicePermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServiceUnquoted" in event.deep_get("ScriptBlockText", default=""),
                    "Get-SiteListPassword" in event.deep_get("ScriptBlockText", default=""),
                    "Get-System" in event.deep_get("ScriptBlockText", default=""),
                    "Get-TimedScreenshot" in event.deep_get("ScriptBlockText", default=""),
                    "Get-UnattendedInstallFile" in event.deep_get("ScriptBlockText", default=""),
                    "Get-Unconstrained" in event.deep_get("ScriptBlockText", default=""),
                    "Get-USBKeystrokes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VaultCredential" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VulnAutoRun" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VulnSchTask" in event.deep_get("ScriptBlockText", default=""),
                    "Grant-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Gupt-Backdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ACLScanner" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ADRecon" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ADSBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AgentSmith" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AllChecks" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ARPScan" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AzureHound" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BackdoorLNK" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BadPotato" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BetterSafetyKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BypassUAC" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Carbuncle" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Certify" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ConPtyShell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-CredentialInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DAFT" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DCSync" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DinvokeKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DllInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DNSUpdate" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DNSExfiltrator" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DomainPasswordSpray" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DowngradeAccount" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-EgressCheck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Eyewitness" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-FakeLogonScreen" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Farmer" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Get-RBCD-Threaded" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Gopher" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Grouper" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-HandleKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ImpersonatedProcess" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ImpersonateSystem" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-InteractiveSystemPowerShell"
                    in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Internalmonologue" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Inveigh" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-InveighRelay" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-KrbRelay" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-LdapSignCheck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Lockless" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-MalSCCM" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Mimikatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Mimikittenz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-MITM6" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NanoDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NetRipper" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Nightmare" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NinjaCopy" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-OfficeScrape" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-OxidResolver" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-P0wnedshell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Paranoia" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PortScan" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PoshRatHttp" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PostExfil" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerDPAPI" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerShellTCP" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerShellWMI" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PPLDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PsExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PSInject" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PsUaCme" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ReflectivePEInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ReverseDNSLookup" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Rubeus" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-RunAs" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SafetyKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SauronEye" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SCShell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Seatbelt" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ServiceAbuse" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ShadowSpray" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Sharp" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Shellcode" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SMBScanner" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Snaffler" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Spoolsample" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SpraySinglePassword" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SSHCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-StandIn" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-StickyNotesExtract" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SystemCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tasksbackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tater" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Thunderfox" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ThunderStruck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-TokenManipulation" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tokenvator" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-TotalExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-UrbanBishop" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-UserHunter" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-VoiceTroll" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Whisker" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WinEnum" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-winPEAS" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WireTap" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WmiCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WMIExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WScriptBypassUAC" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Zerologon" in event.deep_get("ScriptBlockText", default=""),
                    "MailRaider" in event.deep_get("ScriptBlockText", default=""),
                    "New-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "New-HoneyHash" in event.deep_get("ScriptBlockText", default=""),
                    "New-InMemoryModule" in event.deep_get("ScriptBlockText", default=""),
                    "New-SOASerialNumberArray" in event.deep_get("ScriptBlockText", default=""),
                    "Out-Minidump" in event.deep_get("ScriptBlockText", default=""),
                    "PowerBreach" in event.deep_get("ScriptBlockText", default=""),
                    "powercat " in event.deep_get("ScriptBlockText", default=""),
                    "PowerUp" in event.deep_get("ScriptBlockText", default=""),
                    "PowerView" in event.deep_get("ScriptBlockText", default=""),
                    "Remove-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Remove-Update" in event.deep_get("ScriptBlockText", default=""),
                    "Rename-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Revoke-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Set-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Show-TargetScreen" in event.deep_get("ScriptBlockText", default=""),
                    "Start-CaptureServer" in event.deep_get("ScriptBlockText", default=""),
                    "Start-Dnscat2" in event.deep_get("ScriptBlockText", default=""),
                    "Start-WebcamRecorder" in event.deep_get("ScriptBlockText", default=""),
                    "VolumeShadowCopyTools" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
            not any(
                [
                    "Get-SystemDriveInfo" in event.deep_get("ScriptBlockText", default=""),
                    "C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\"
                    in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
