Disable Windows Defender Functionalities Via Registry Keys

detection:
    selection_main:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows Defender\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
    selection_dword_1:
        TargetObject|endswith:
            - '\DisableAntiSpyware'
            - '\DisableAntiVirus'
            - '\DisableBehaviorMonitoring'
            - '\DisableBlockAtFirstSeen'
            - '\DisableEnhancedNotifications'
            - '\DisableIntrusionPreventionSystem'
            - '\DisableIOAVProtection'
            - '\DisableOnAccessProtection'
            - '\DisableRealtimeMonitoring'
            - '\DisableScanOnRealtimeEnable'
            - '\DisableScriptScanning'
        Details: 'DWORD (0x00000001)'
    selection_dword_0:
        TargetObject|endswith:
            - '\DisallowExploitProtectionOverride'
            - '\Features\TamperProtection'
            - '\MpEngine\MpEnablePus'
            - '\PUAProtection'
            - '\Signature Update\ForceUpdateFromMU'
            - '\SpyNet\SpynetReporting'
            - '\SpyNet\SubmitSamplesConsent'
            - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
        Details: 'DWORD (0x00000000)'
    filter_optional_symantec:
        Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
        Image|endswith: '\sepWscSvc64.exe'
    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*