This rule detects an Antimalware Scan Interface (AMSI) bypass that operates at the Windows RPC layer by hooking the RPC runtime marshaling stubs (NdrClientCall2/3) in rpcrt4.dll. A loader allocates an executable trampoline and marshals a PowerShell delegate to the native stub, with indicators appearing in PowerShell Script Block Logging before the bypass takes effect. Unlike patches to amsi.dll or AmsiScanBuffer, this technique tamper-s the request prior to AMSI processing, leaving AMSI itself unchanged and potentially evading AMSI-focused memory-write telemetry. The detector relies on PowerShell Script Block Logging (event 4104) script blocks that reference NdrClientCall2/3 and related API calls (GetProcAddress, GetDelegateForFunctionPointer, VirtualProtect) to identify the loader sequence and the memory protections involved. It provides guidance for triage, remediation, and the limitations of detection when the payload is delivered in-memory or outside PowerShell Script Block Logging.