Resurrecting an old AMSI Bypass

This blog post demonstrates a proof-of-concept bypass of Windows' Anti-Malware Scan Interface (AMSI) for PowerShell by creating a fake amsi.dll with the expected exports and leveraging DLL search order/DLL hijacking from a user-writable location; the author describes implementation details, ProcMon observations, testing (including required placements of the fake DLL), and mitigation/defense notes (Windows Defender detection and planned PowerShell fixes).