Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Sigma rule (View on GitHub)
1title: Delete Defender Scan ShellEx Context Menu Registry Key
2id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
3related:
4 - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
5 type: similar
6status: experimental
7description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
8references:
9 - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
10 - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
11 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
13author: 'Matt Anderson (Huntress)'
14date: 2025-07-11
15modified: 2025-10-07
16tags:
17 - attack.defense-evasion
18logsource:
19 category: registry_delete
20 product: windows
21detection:
22 selection:
23 TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
24 filter_main_defender:
25 Image|startswith:
26 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
27 - 'C:\Program Files\Windows Defender\'
28 - 'C:\Program Files (x86)\Windows Defender\'
29 Image|endswith: '\MsMpEng.exe'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unlikely as this weakens defenses and normally would not be done even if using another AV.
33level: medium
References
-
Updated Date: 2025-05-02 ID: 395ed5fe-ad13-4366-9405-a228427bdd91 Author: Teoderick Contreras, Splunk Type: Hunting Product: Splunk Enterprise Security Description The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes "*\shellex\ContextMenuHandlers\EPP" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features.
Read More -
To delete Scan with Windows Defender entry from the context menu in Windows 10, you can use ready-to-use Registry files I made for your convenience.
Read More -
Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…
Read More
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Files With System Process Name In Unsuspected Locations
- Filter Driver Unloaded Via Fltmc.EXE
- Firewall Rule Deleted Via Netsh.EXE