This rule captures attempts to modify Windows Defender settings via PowerShell, specifically focusing on scenarios where exclusions are added for files or directories. These alterations can indicate malicious intent, as adversaries may attempt to bypass antivirus capabilities to evade detection. Monitoring such changes is critical, as legitimate administrative actions can also occur, which increases the likelihood of false positives. The rule captures events where PowerShell is used to execute commands that modify Windows Defender preferences, particularly looking for parameters related to excluding specific files or processes. Investigative steps include analyzing the process execution chain, assessing the legitimacy of user actions, and a detailed review of added exclusions to understand their context and intent. The rule is designed for environments where security monitoring of endpoint activities is essential, particularly against potential tactics of defense evasion relevant in various attack scenarios, such as the use of Trickbot to disable Windows Defender.