This detection rule is designed to identify potential bypass attempts of the Anti-Malware Scan Interface (AMSI) in Windows environments through the utilization of NULL bits in PowerShell scripts. The rule aims to enhance security by monitoring certain script patterns that are indicative of attempts to evade AMSI's scanning capabilities. Specifically, the detection mechanism focuses on identifying specific strings, such as \"if(0){{{0}}}' -f $(0 -as [char]) +\" and \"#<NULL>\" within the script block text, which are recognized as common obfuscation techniques used by threat actors to mislead static and dynamic analysis tools. Effective detection of these bypass attempts requires that Script Block Logging is enabled on the target systems, allowing meaningful logging of all executed PowerShell commands and their components. By analyzing the script block text for these keywords, security teams can promptly identify and respond to potentially malicious activities that leverage such evasion tactics.