Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Sigma rule (View on GitHub)
1title: Delete Defender Scan ShellEx Context Menu Registry Key
2id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
3related:
4 - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
5 type: similar
6status: experimental
7description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
8references:
9 - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
10 - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
11 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
13author: 'Matt Anderson (Huntress)'
14date: 2025-07-11
15modified: 2025-10-07
16tags:
17 - attack.defense-impairment
18logsource:
19 category: registry_delete
20 product: windows
21detection:
22 selection:
23 TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
24 filter_main_defender:
25 Image|startswith:
26 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
27 - 'C:\Program Files\Windows Defender\'
28 - 'C:\Program Files (x86)\Windows Defender\'
29 Image|endswith: '\MsMpEng.exe'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unlikely as this weakens defenses and normally would not be done even if using another AV.
33level: medium
References
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- AD Object WriteDAC Access
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux