This detection rule is designed to identify the use of the PowerShell cmdlet `Disable-WindowsOptionalFeature`, which is utilized for managing Windows features within images. The cmdlet provides functionalities similar to those in DISM (Deployment Image Servicing and Management), allowing users to enumerate, install, uninstall, configure, and update features and packages. This capability can be exploited by attackers to disable essential security features like Windows Defender, thereby facilitating malicious activities on the system. Therefore, monitoring the execution of this cmdlet, especially with specific arguments that relate to security features, is critical for maintaining the integrity of the Windows environment. The rule leverages script block logging to capture relevant script executions that match specified patterns indicating the disablement of key features. An elevated level of vigilance is warranted, as unauthorized modifications to system features pose a significant risk to overall system security.