This detection rule identifies potential attempts to bypass the Antimalware Scan Interface (AMSI) in Windows, specifically through the manipulation of .NET reflection within PowerShell scripts. The rule focuses on monitoring process creation events, particularly those involving the execution of PowerShell commands that signal an attempt to disable AMSI scanning. This method can potentially allow malicious scripts to run without triggering antivirus alerts or detections that rely on AMSI. The detection specifically looks for command lines that contain references to 'amsiInitFailed' and exploit .NET reflection methods to alter the behavior of AMSI. By identifying these patterns, organizations can potentially thwart evasive tactics employed by threat actors trying to disable malware defenses through scripting.