This detection rule aims to identify PowerShell scripts that contain cmdlets and parameters commonly leveraged by attackers to disable features of Windows Defender, thus facilitating greater evasion of detection during malicious activities. By monitoring specific attributes of PowerShell script blocks, the rule captures attempts to tamper with the system's defenses. The rule requires the 'PowerShell Script Block Logging' feature to be activated to ensure that script execution can be tracked. Notably, it specifies certain cmdlets like 'Set-MpPreference' along with various disable parameters that correspond to Windows Defender's protective capabilities. This information is critical for identifying potential security breaches. The rule further restricts its detection to processes running on Windows hosts while excluding known benign instances to reduce false positives. Threat analysts will benefit from understanding how these scripts can reduce the security posture of Windows environments and the significance of enabling script block logging for enhanced visibility.