This detection rule focuses on the modification of Windows Defender, a security tool, to identify potential adversarial activities aimed at evading detection. Adversaries frequently modify security configurations to hide their malicious activities, such as executing unauthorized commands or malware. The rule leverages Sysmon logging to monitor event codes associated with changes to Windows Defender configurations, specifically looking for `Set-MpPreference` or `Add-MpPreference` commands, which indicate alterations to its settings. This rule captures events over a 60-second window to assess the count of unique processes making these modifications. A threshold is set to emit alerts if one or more distinct processes modify Windows Defender settings in quick succession, indicating possible evasion tactics employed by threat actors. The rule is particularly relevant for organizations using Windows environments and aims to detect activities linked to major threat actor groups like BlackByte, Lazarus, and REvil, among others, who are known to exploit such modifications to execute their operations unnoticed.