def rule(event):
    if any(
        [
            "System.Reflection.Assembly.Load($" in event.deep_get("ScriptBlockText", default=""),
            "[System.Reflection.Assembly]::Load($" in event.deep_get("ScriptBlockText", default=""),
            "[Reflection.Assembly]::Load($" in event.deep_get("ScriptBlockText", default=""),
            "System.Reflection.AssemblyName" in event.deep_get("ScriptBlockText", default=""),
            "Reflection.Emit.AssemblyBuilderAccess"
            in event.deep_get("ScriptBlockText", default=""),
            "Reflection.Emit.CustomAttributeBuilder"
            in event.deep_get("ScriptBlockText", default=""),
            "Runtime.InteropServices.UnmanagedType"
            in event.deep_get("ScriptBlockText", default=""),
            "Runtime.InteropServices.DllImportAttribute"
            in event.deep_get("ScriptBlockText", default=""),
            "SuspendThread" in event.deep_get("ScriptBlockText", default=""),
            "rundll32" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
