def rule(event):
    if any(
        [
            "AddSecurityPackage" in event.deep_get("ScriptBlockText", default=""),
            "AdjustTokenPrivileges" in event.deep_get("ScriptBlockText", default=""),
            "CloseHandle" in event.deep_get("ScriptBlockText", default=""),
            "CreateProcessWithToken" in event.deep_get("ScriptBlockText", default=""),
            "CreateRemoteThread" in event.deep_get("ScriptBlockText", default=""),
            "CreateThread" in event.deep_get("ScriptBlockText", default=""),
            "CreateUserThread" in event.deep_get("ScriptBlockText", default=""),
            "DangerousGetHandle" in event.deep_get("ScriptBlockText", default=""),
            "DuplicateTokenEx" in event.deep_get("ScriptBlockText", default=""),
            "EnumerateSecurityPackages" in event.deep_get("ScriptBlockText", default=""),
            "FreeLibrary" in event.deep_get("ScriptBlockText", default=""),
            "GetDelegateForFunctionPointer" in event.deep_get("ScriptBlockText", default=""),
            "GetLogonSessionData" in event.deep_get("ScriptBlockText", default=""),
            "GetModuleHandle" in event.deep_get("ScriptBlockText", default=""),
            "GetProcAddress" in event.deep_get("ScriptBlockText", default=""),
            "GetProcessHandle" in event.deep_get("ScriptBlockText", default=""),
            "GetTokenInformation" in event.deep_get("ScriptBlockText", default=""),
            "ImpersonateLoggedOnUser" in event.deep_get("ScriptBlockText", default=""),
            "LoadLibrary" in event.deep_get("ScriptBlockText", default=""),
            "memcpy" in event.deep_get("ScriptBlockText", default=""),
            "MiniDumpWriteDump" in event.deep_get("ScriptBlockText", default=""),
            "OpenDesktop" in event.deep_get("ScriptBlockText", default=""),
            "OpenProcess" in event.deep_get("ScriptBlockText", default=""),
            "OpenProcessToken" in event.deep_get("ScriptBlockText", default=""),
            "OpenThreadToken" in event.deep_get("ScriptBlockText", default=""),
            "OpenWindowStation" in event.deep_get("ScriptBlockText", default=""),
            "QueueUserApc" in event.deep_get("ScriptBlockText", default=""),
            "ReadProcessMemory" in event.deep_get("ScriptBlockText", default=""),
            "RevertToSelf" in event.deep_get("ScriptBlockText", default=""),
            "RtlCreateUserThread" in event.deep_get("ScriptBlockText", default=""),
            "SetThreadToken" in event.deep_get("ScriptBlockText", default=""),
            "VirtualAlloc" in event.deep_get("ScriptBlockText", default=""),
            "VirtualFree" in event.deep_get("ScriptBlockText", default=""),
            "VirtualProtect" in event.deep_get("ScriptBlockText", default=""),
            "WaitForSingleObject" in event.deep_get("ScriptBlockText", default=""),
            "WriteInt32" in event.deep_get("ScriptBlockText", default=""),
            "WriteProcessMemory" in event.deep_get("ScriptBlockText", default=""),
            "ZeroFreeGlobalAllocUnicode" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
