This analytic detects modifications to the Windows registry that disable Windows SmartScreen protection, a feature critical for safeguarding against phishing and malware threats. The detection focuses on registry changes in specific paths that control SmartScreen functionality, primarily utilizing data sourced from the Endpoint.Registry data model. Monitoring such alterations is vital, as disabling SmartScreen may indicate malicious activities commonly associated with Remote Access Trojans (RATs), employed by attackers to evade security measures while executing further harmful operations. If this action is confirmed to be malicious, it elevates the risk of successful phishing and malware attacks. This detection rule is designed for use in Splunk, leveraging Sysmon event logs to identify suspicious changes and alert security teams accordingly.