Detectionmediumexperimental
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Matt Anderson (Huntress)Created Fri Jul 11Updated Tue Oct 0772a0369a-2576-4aaf-bfc9-6bb24a574ac6windows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*False Positives
Unlikely as this weakens defenses and normally would not be done even if using another AV.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
72a0369a-2576-4aaf-bfc9-6bb24a574ac6
Status
experimental
Level
medium
Type
Detection
Created
Fri Jul 11
Modified
Tue Oct 07
Author
Path
rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml
Raw Tags
attack.defense-evasion