This rule aims to detect potential bypass attempts of the Antimalware Scan Interface (AMSI) through PowerShell scripts. The AMSI serves as a protection mechanism within Windows, allowing applications to integrate with anti-malware solutions. Attackers often seek to disable AMSI to execute malicious scripts clandestinely. The detection is performed by searching PowerShell logs for script blocks that utilize certain keywords and classes known to correspond with AMSI bypass techniques. This includes function calls related to 'AmsiUtils', 'Invoke-AmsiBypass', and other obfuscation or manipulation commands. The rule's detection criteria include checking for instances where PowerShell script blocks reference methods that could be used to evade security measures, especially during a time range defined by the user (the last 9 months in this case). When triggered, analysts are directed to investigate various aspects of the script execution, including parent processes, script content, and any potentially suspicious behavior associated with the host during the alert timeframe. The rule provides guidance for the investigation and response, recommending isolation of hosts, examination for further signs of intrusion, and rigorous logging practices to improve future detection rates.