def rule(event):
    if any(
        [
            all(
                [
                    "VirtualAlloc" in event.deep_get("ScriptBlockText", default=""),
                    "OpenProcess" in event.deep_get("ScriptBlockText", default=""),
                    "WriteProcessMemory" in event.deep_get("ScriptBlockText", default=""),
                    "CreateRemoteThread" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
            all(
                [
                    "OpenProcessToken" in event.deep_get("ScriptBlockText", default=""),
                    "LookupPrivilegeValue" in event.deep_get("ScriptBlockText", default=""),
                    "AdjustTokenPrivileges" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
            all(
                [
                    "OpenProcessToken" in event.deep_get("ScriptBlockText", default=""),
                    "DuplicateTokenEx" in event.deep_get("ScriptBlockText", default=""),
                    "CloseHandle" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
            all(
                [
                    "WriteProcessMemory" in event.deep_get("ScriptBlockText", default=""),
                    "VirtualAlloc" in event.deep_get("ScriptBlockText", default=""),
                    "ReadProcessMemory" in event.deep_get("ScriptBlockText", default=""),
                    "VirtualFree" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
