This rule identifies when adversaries or malicious software disable functionalities of Windows Defender using the Windows Registry. It focuses on key values related to AntiSpyware and AntiVirus features that, when altered, indicate attempts to undermine system protection. The rule monitors specific registry paths associated with Windows Defender configurations and checks for changes in specific DWORD values that represent the disabling of various security features, such as real-time monitoring and behavior monitoring. A high alert level is assigned to this rule due to its relevance in detecting potential ransomware and other threats that seek to compromise endpoint security by circumventing defenses. The rule also includes optional filtering to differentiate between legitimate activities of third-party antivirus software and potential attacks, ensuring accurate detection while minimizing false positives.