Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Sigma rule (View on GitHub)
1title: Delete Defender Scan ShellEx Context Menu Registry Key
2id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
3related:
4 - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
5 type: similar
6status: experimental
7description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
8references:
9 - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
10 - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
11 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
13author: 'Matt Anderson (Huntress)'
14date: 2025-07-11
15modified: 2025-10-07
16tags:
17 - attack.defense-evasion
18logsource:
19 category: registry_delete
20 product: windows
21detection:
22 selection:
23 TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
24 filter_main_defender:
25 Image|startswith:
26 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
27 - 'C:\Program Files\Windows Defender\'
28 - 'C:\Program Files (x86)\Windows Defender\'
29 Image|endswith: '\MsMpEng.exe'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unlikely as this weakens defenses and normally would not be done even if using another AV.
33level: medium
References
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Files With System Process Name In Unsuspected Locations
- Filter Driver Unloaded Via Fltmc.EXE
- Firewall Rule Deleted Via Netsh.EXE