This detection rule monitors the execution of PowerShell commands specifically targeting the uninstallation of Windows Defender features, utilizing the 'Uninstall-WindowsFeature' or 'Remove-WindowsFeature' cmdlets. Adversaries often employ these commands to disable defensive mechanisms like the Windows Defender GUI, which can leave systems vulnerable to further attacks. The rule leverages process creation logs to identify potentially malicious commands executed by legitimate PowerShell processes, including 'powershell.exe', 'PowerShell_ISE.EXE', and 'pwsh.exe'. The detection activates upon confirming the presence of these commands in conjunction with the command line that references 'Windows-Defender'. The rule is designed for Windows environments and flags findings as high severity, necessitating prompt investigation due to the implication of evading security measures.