Skip to content
Threat Feed
high advisory

Windows Defender Network Protection Disabled via Registry Modification

Attackers disable Windows Defender Network Protection by modifying the `EnableNetworkProtection` registry value, potentially bypassing network-based threat detection and enabling data exfiltration or further system compromise.

Attackers may attempt to disable Windows Defender Network Protection to evade detection and prevention of network-based threats. This is achieved by modifying the EnableNetworkProtection registry value. While the original Splunk ES-CU analytic was released on 2026-03-16, this technique is actively discussed in the security community as of early 2024. Disabling Network Protection prevents Windows Defender from analyzing and blocking malicious network activity, thus creating a significant vulnerability. This is a common defense evasion tactic employed after initial access or during lateral movement.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via compromised credentials or exploiting a vulnerability).
  2. The attacker executes a process (e.g., powershell.exe, cmd.exe) with elevated privileges.
  3. The process modifies the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection.
  4. Specifically, the EnableNetworkProtection registry value is set to 0x00000000.
  5. Windows Defender Network Protection is disabled, preventing it from blocking malicious network connections or exploits.
  6. The attacker leverages the compromised system to perform reconnaissance within the network.
  7. Malware is downloaded and executed, now unimpeded by Network Protection.
  8. Data exfiltration or other malicious activities are carried out without detection by Windows Defender's network protection features.

Impact

Successful disabling of Windows Defender Network Protection significantly weakens the system's defenses, potentially affecting many endpoints within an organization. Attackers can then proceed with data exfiltration, ransomware deployment, or further lateral movement without triggering network-based alerts from Windows Defender. This could lead to widespread data breaches, financial losses, and reputational damage.

Recommendation

  • Enable Sysmon Event ID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).
  • Deploy the provided Sigma rule to detect attempts to disable Windows Defender Network Protection by modifying the EnableNetworkProtection registry value (reference: Sigma rule Detect Windows Defender Network Protection Disable).
  • Investigate any alerts generated by the Sigma rule to determine if the activity is malicious and take appropriate remediation steps.
  • Consider implementing Group Policy settings to prevent users from modifying the EnableNetworkProtection registry value.

Detection coverage 2

Detect Windows Defender Network Protection Disable

high

Detects modification of the EnableNetworkProtection registry value to disable Windows Defender Network Protection

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Detect Process Modifying Network Protection Registry

medium

Detects processes commonly used by attackers modifying the Network Protection registry key

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →