Delete Defender Scan ShellEx Context Menu Registry Key

Jul 28, 2025 · attack.defense-evasion ·

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Sigma rule (View on GitHub)

 1title: Delete Defender Scan ShellEx Context Menu Registry Key
 2id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
 3related:
 4    - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
 5      type: similar
 6status: experimental
 7description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
 8references:
 9    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
10    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
11    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
13author: 'Matt Anderson (Huntress)'
14date: 2025-07-11
15tags:
16    - attack.defense-evasion
17logsource:
18    category: registry_delete
19    product: windows
20detection:
21    selection:
22        TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
23    condition: selection
24falsepositives:
25    - Unlikely as this weakens defenses and normally would not be done even if using another AV.
26level: medium

References

https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/

Read More
How to delete Scan with Windows Defender from context menu in Windows 10

To delete Scan with Windows Defender entry from the context menu in Windows 10, you can use ready-to-use Registry files I made for your convenience.

Read More
IcedID to XingLocker Ransomware in 24 hours

Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…

Read More
https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/

Read More

Delete Defender Scan ShellEx Context Menu Registry Key

Sigma rule (View on GitHub)

References

https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/

How to delete Scan with Windows Defender from context menu in Windows 10

IcedID to XingLocker Ransomware in 24 hours

https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/

Related rules