This detection rule is designed to identify potential persistence mechanisms employed by threat actors through the registration of new AMSI (Antimalware Scan Interface) providers on Windows systems. The rule focuses specifically on the registry changes that are characteristic of attackers who register malicious AMSI providers. When an attacker registers a new AMSI provider, they can manipulate AMSI's behavior to evade detection by security products that rely on this interface. This rule detects the creation of registry keys under the paths associated with AMSI providers, specifically involving the registry keys that exist in \SOFTWARE\Microsoft\AMSI\Providers\ and \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\. It employs a filtering mechanism to exclude known legitimate entries that might be added by trusted software programs, thus reducing false positives.