Windows Defender Network Protection Disabled via Registry Modification

This detection identifies attempts to weaken Windows security by disabling Windows Defender Network Protection. The technique involves modifying the EnableNetworkProtection registry entry, a critical component for preventing network-based threats. Attackers may employ this tactic to bypass security measures, enabling unauthorized access, data exfiltration, or further compromise of the network. This is often a post-exploitation step or part of a larger defense evasion strategy. The detection focuses on changes to the specific registry key and value associated with disabling the protection feature.

Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. Attacker elevates privileges to gain administrative access, which is required to modify the registry.
3. The attacker uses a script or tool (e.g., PowerShell, reg.exe) to modify the registry.
4. The script targets the registry key *\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection.
5. The script sets the registry_value_data to 0x00000000, which disables Network Protection.
6. Windows Defender Network Protection is disabled, allowing network-based threats to proceed unimpeded.
7. The attacker can then execute malicious code, establish command and control, or exfiltrate data without network-level interference from Windows Defender.

Impact

Successful disabling of Windows Defender Network Protection can significantly weaken a system’s security posture. This allows attackers to bypass a key security control, potentially leading to malware infection, data theft, or complete system compromise. Systems without Network Protection are more susceptible to network-based attacks such as drive-by downloads, exploit kits, and command-and-control traffic. The impact could range from a single compromised workstation to a widespread network breach, depending on the attacker’s objectives and capabilities.

Recommendation

• Deploy the Sigma rule Registry Modification to Disable Windows Defender Network Protection to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the registry modification.
• Implement endpoint detection and response (EDR) solutions to provide additional visibility into endpoint activity and detect malicious behavior.
• Review and enforce group policies to prevent unauthorized registry modifications.
• Monitor Sysmon EventID 13 for registry modifications to detect similar defense evasion attempts.