registry_delete

Delete Defender Scan ShellEx Context Menu Registry Key

Apr 28, 2026 · attack.defense-impairment ·

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Share on:

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Removal Of AMSI Provider Registry Keys

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Share on:

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Removal Of Index Value to Hide Schedule Task - Registry

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Share on:

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Removal of Potential COM Hijacking Registry Keys

Apr 28, 2026 · attack.persistence attack.defense-impairment attack.t1112 ·

Share on:

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Removal Of SD Value to Hide Schedule Task - Registry

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Share on:

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

RunMRU Registry Key Deletion - Registry

Apr 28, 2026 · attack.stealth attack.t1070.003 ·

Share on:

Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Terminal Server Client Connection History Cleared - Registry

Apr 28, 2026 · attack.persistence attack.stealth attack.defense-impairment attack.t1070 attack.t1112 ·

Share on:

Detects the deletion of registry keys containing the MSTSC connection history

Windows Credential Guard Related Registry Value Deleted - Registry

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Share on:

Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

Apr 16, 2025 · attack.collection attack.t1113 ·

Share on:

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.