Back in 2022, I made a simple YARA rule to detect malware disabling or tampering with Windows Defender: https://github.com/iam-py-test/yara-rules/blob/main/rules/generic/windows/disable_defender.yar

Its not that well made, but still manages to detect a ton of malware:
https://bazaar.abuse.ch/browse/yara/Disable_Defender/

I'm not sure how many false positives it has.

If I recall correctly, this rule was based heavily on what I was seeing in people's logs on malware support forums.