This detection rule identifies attempts to disable the Anti-Malware Scan Interface (AMSI) on Windows systems by monitoring changes to the registry. Specifically, it looks for changes made to the 'AmsiEnable' registry key, which should be set to a DWORD value of 1 for AMSI to be active. When adversaries modify this registry key to a value of 0, they effectively disable AMSI, which can allow malicious activities to go undetected. The rule is categorized under high severity, reflecting the potential risk associated with such behavior. This is particularly relevant as AMSI is designed to enhance security by allowing antivirus solutions to scan scripts and other executable content for malware. The rule is marked as experimental and includes references to several resources that provide more context on AMSI bypass techniques and the implications of manipulating this registry setting.