Built off the open source project Osquery
Description: Threat actors disable AV to evade detection. The proposed query probes the state of registered Windows security products. T1562.001 is the sub-technique for this detection.
What The Data Shows: Inactive security products on a host is shown.
SQL: SELECT * FROM windows_security_products WHERE state = 'Off';