Overview
The AMSIProviders command enumerates all providers that are registered with the Windows Antimalware Scan Interface (AMSI). AMSI is a security feature that allows applications and services to integrate with any antimalware product present on a system, providing additional protection against malicious scripts and code. This command identifies which security products and components have registered themselves as AMSI providers, giving insight into the endpoint protection capabilities of the system.Syntax
Remote Execution
Output
The command returns information about registered AMSI providers, including:- Provider CLSID (Class Identifier)
- Provider DLL path
- Provider name and registration details
Use Cases
- Red Team
- Blue Team
- Identify endpoint protection capabilities
- Discover which security products are monitoring script execution
- Plan evasion strategies based on registered providers
- Assess detection surface before executing scripts or payloads
Example Output
Remote Execution
This command supports remote execution using the
-computername parameter.Detection Considerations
- Registry Access: Queries AMSI provider registration keys in HKLM\SOFTWARE\Microsoft\AMSI
- WMI Activity: Remote execution generates WMI queries that can be logged
- Event Logs: May trigger registry access monitoring if configured
- EDR Telemetry: Security products may alert on enumeration of AMSI configuration
Defensive Recommendations
- Monitor registry access to AMSI configuration keys
- Implement alerts for multiple security enumeration commands in succession
- Review WMI activity logs for unusual remote queries
- Correlate with other reconnaissance activities
Related Commands
- AntiVirus - Enumerate registered antivirus products
- WindowsDefender - Windows Defender specific settings
- OSInfo - General operating system information
- SecurityPackages - Enumerate available security packages