This detection rule aims to identify potentially malicious behavior involving the Antimalware Scan Interface (AMSI) on Windows systems. The rule is designed to flag the creation of an AMSI DLL in atypical file paths, which could indicate an attempt to bypass AMSI protections by using a rogue DLL instead of the legitimate AMSI module. It operates under the assumption that modifications to the AMSI DLL should not occur in expected environments, and alerts the security team when such alterations are detected. The rule utilizes Elastic's EQL (Event Query Language) to perform this analysis, focusing specifically on files that match the naming convention for AMSI and are not located in standard directories. Moreover, the rule encompasses tactics for further investigation, enabling analysts to trace back the process that created the suspicious DLL and gather additional context regarding the potential compromise. The severity level assigned is high, denoting the significance of the detected event in the scope of endpoint protection.