LoFP / depending on the scripts, this rule might require some initial tuning to fit the environment

condition: selection
selection:
  ScriptBlockText|contains:
  - AdjustTokenPrivileges
  - IMAGE_NT_OPTIONAL_HDR64_MAGIC
  - Metasploit
  - Microsoft.Win32.UnsafeNativeMethods
  - Mimikatz
  - MiniDumpWriteDump
  - PAGE_EXECUTE_READ
  - ReadProcessMemory.Invoke
  - SE_PRIVILEGE_ENABLED
  - SECURITY_DELEGATION
  - TOKEN_ADJUST_PRIVILEGES
  - TOKEN_ALL_ACCESS
  - TOKEN_ASSIGN_PRIMARY
  - TOKEN_DUPLICATE
  - TOKEN_ELEVATION
  - TOKEN_IMPERSONATE
  - TOKEN_INFORMATION_CLASS
  - TOKEN_PRIVILEGES
  - TOKEN_QUERY