def rule(event):
    if any(
        [
            "AdjustTokenPrivileges" in event.deep_get("ScriptBlockText", default=""),
            "IMAGE_NT_OPTIONAL_HDR64_MAGIC" in event.deep_get("ScriptBlockText", default=""),
            "Metasploit" in event.deep_get("ScriptBlockText", default=""),
            "Microsoft.Win32.UnsafeNativeMethods" in event.deep_get("ScriptBlockText", default=""),
            "Mimikatz" in event.deep_get("ScriptBlockText", default=""),
            "MiniDumpWriteDump" in event.deep_get("ScriptBlockText", default=""),
            "PAGE_EXECUTE_READ" in event.deep_get("ScriptBlockText", default=""),
            "ReadProcessMemory.Invoke" in event.deep_get("ScriptBlockText", default=""),
            "SE_PRIVILEGE_ENABLED" in event.deep_get("ScriptBlockText", default=""),
            "SECURITY_DELEGATION" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_ADJUST_PRIVILEGES" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_ALL_ACCESS" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_ASSIGN_PRIMARY" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_DUPLICATE" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_ELEVATION" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_IMPERSONATE" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_INFORMATION_CLASS" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_PRIVILEGES" in event.deep_get("ScriptBlockText", default=""),
            "TOKEN_QUERY" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
