Windows Defender Network Protection Disabled via Registry Modification
Attackers disable Windows Defender Network Protection by modifying the `EnableNetworkProtection` registry value, potentially bypassing network-based threat detection and enabling data exfiltration or further system compromise.
Attackers may attempt to disable Windows Defender Network Protection to evade detection and prevention of network-based threats. This is achieved by modifying the EnableNetworkProtection registry value. While the original Splunk ES-CU analytic was released on 2026-03-16, this technique is actively discussed in the security community as of early 2024. Disabling Network Protection prevents Windows Defender from analyzing and blocking malicious network activity, thus creating a significant vulnerability. This is a common defense evasion tactic employed after initial access or during lateral movement.
Attack Chain
- The attacker gains initial access to the system (e.g., via compromised credentials or exploiting a vulnerability).
- The attacker executes a process (e.g.,
powershell.exe,cmd.exe) with elevated privileges. - The process modifies the registry key
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection. - Specifically, the
EnableNetworkProtectionregistry value is set to0x00000000. - Windows Defender Network Protection is disabled, preventing it from blocking malicious network connections or exploits.
- The attacker leverages the compromised system to perform reconnaissance within the network.
- Malware is downloaded and executed, now unimpeded by Network Protection.
- Data exfiltration or other malicious activities are carried out without detection by Windows Defender's network protection features.
Impact
Successful disabling of Windows Defender Network Protection significantly weakens the system's defenses, potentially affecting many endpoints within an organization. Attackers can then proceed with data exfiltration, ransomware deployment, or further lateral movement without triggering network-based alerts from Windows Defender. This could lead to widespread data breaches, financial losses, and reputational damage.
Recommendation
- Enable Sysmon Event ID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).
- Deploy the provided Sigma rule to detect attempts to disable Windows Defender Network Protection by modifying the
EnableNetworkProtectionregistry value (reference: Sigma ruleDetect Windows Defender Network Protection Disable). - Investigate any alerts generated by the Sigma rule to determine if the activity is malicious and take appropriate remediation steps.
- Consider implementing Group Policy settings to prevent users from modifying the
EnableNetworkProtectionregistry value.
Detection coverage 2
Detect Windows Defender Network Protection Disable
highDetects modification of the EnableNetworkProtection registry value to disable Windows Defender Network Protection
Detect Process Modifying Network Protection Registry
mediumDetects processes commonly used by attackers modifying the Network Protection registry key
Detection queries are available on the platform. Get full rules →