This rule detects tampering of Anti-Malware Scan Interface (AMSI) related registry values via command line tools like reg.exe and PowerShell. AMSI is designed to help applications integrate with antimalware software to scan for potential threats. By disabling AMSI, attackers aim to evade detection during the execution of malicious scripts. The detection rule focuses on key indicators such as the alteration of registry values linked to AMSI, specifically looking for changes associated with the AmsiEnable registry key. It utilizes a combination of command line arguments, processes, and potential registry modifications to identify this malicious behavior. The rule activates if the command line indicates that an addition is being made to the AMSI registry settings and matches known patterns related to reg.exe or PowerShell syntax. False positives may occur with unknown commands, but the authentication is overall considered high risk due to the nature of the actions being monitored.