This detection rule targets attempts by attackers to disable Windows Defender Antivirus (AV) security features using PowerShell commands. The rule focuses on monitoring the execution of PowerShell and Service Control (sc) commands that manipulate Windows Defender settings. The command line used for these operations often includes parameters such as '-DisableBehaviorMonitoring $true' and '-DisableRuntimeMonitoring $true', which disable specific protective behaviors. Furthermore, the rule checks for 'sc.exe' commands that include actions to stop, delete, or disable the Windows Defender service. By establishing conditions that trigger alerts when suspicious behaviors are detected, this rule aims to enhance endpoint security by identifying potential attempts to evade detection by malware. The rule also includes provisions for false positives for legitimate software development practices where developers might disable Windows Defender temporarily, ensuring that security teams remain alert but not overburdened by benign alerts.