def rule(event):
    if any(
        [
            "Export-PowerViewCSV" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainLocalGroupMember" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainObjectPropertyOutlier" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainProcess" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainShare" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainUserEvent" in event.deep_get("ScriptBlockText", default=""),
            "Find-DomainUserLocation" in event.deep_get("ScriptBlockText", default=""),
            "Find-ForeignGroup" in event.deep_get("ScriptBlockText", default=""),
            "Find-ForeignUser" in event.deep_get("ScriptBlockText", default=""),
            "Find-GPOComputerAdmin" in event.deep_get("ScriptBlockText", default=""),
            "Find-GPOLocation" in event.deep_get("ScriptBlockText", default=""),
            "Find-InterestingDomain" in event.deep_get("ScriptBlockText", default=""),
            "Find-InterestingFile" in event.deep_get("ScriptBlockText", default=""),
            "Find-LocalAdminAccess" in event.deep_get("ScriptBlockText", default=""),
            "Find-ManagedSecurityGroups" in event.deep_get("ScriptBlockText", default=""),
            "Get-CachedRDPConnection" in event.deep_get("ScriptBlockText", default=""),
            "Get-DFSshare" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainDFSShare" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainDNSRecord" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainDNSZone" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainFileServer" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainGPOComputerLocalGroupMapping"
            in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainGPOLocalGroup" in event.deep_get("ScriptBlockText", default=""),
            "Get-DomainGPOUserLocalGroupMapping" in event.deep_get("ScriptBlockText", default=""),
            "Get-LastLoggedOn" in event.deep_get("ScriptBlockText", default=""),
            "Get-LoggedOnLocal" in event.deep_get("ScriptBlockText", default=""),
            "Get-NetFileServer" in event.deep_get("ScriptBlockText", default=""),
            "Get-NetForest" in event.deep_get("ScriptBlockText", default=""),
            "Get-NetGPOGroup" in event.deep_get("ScriptBlockText", default=""),
            "Get-NetProcess" in event.deep_get("ScriptBlockText", default=""),
            "Get-NetRDPSession" in event.deep_get("ScriptBlockText", default=""),
            "Get-RegistryMountedDrive" in event.deep_get("ScriptBlockText", default=""),
            "Get-RegLoggedOn" in event.deep_get("ScriptBlockText", default=""),
            "Get-WMIRegCachedRDPConnection" in event.deep_get("ScriptBlockText", default=""),
            "Get-WMIRegLastLoggedOn" in event.deep_get("ScriptBlockText", default=""),
            "Get-WMIRegMountedDrive" in event.deep_get("ScriptBlockText", default=""),
            "Get-WMIRegProxy" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-ACLScanner" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-CheckLocalAdminAccess" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-EnumerateLocalAdmin" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-EventHunter" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-FileFinder" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Kerberoast" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-MapDomainTrust" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-ProcessHunter" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-RevertToSelf" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-ShareFinder" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-UserHunter" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-UserImpersonation" in event.deep_get("ScriptBlockText", default=""),
            "Remove-RemoteConnection" in event.deep_get("ScriptBlockText", default=""),
            "Request-SPNTicket" in event.deep_get("ScriptBlockText", default=""),
            "Resolve-IPAddress" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
