Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Windows Defender Context Menu Removed

Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Matt Anderson (Huntress)Created Wed Jul 09b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_action:
        CommandLine|contains:
            - 'del'
            - 'Remove-Item'
            - 'ri '
    selection_reg_path:
        CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
    condition: all of selection_*
False Positives

May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.

References
1
Resolving title…
research.splunk.com
2
Resolving title…
winaero.com
3
Resolving title…
thedfirreport.com
4
Resolving title…
blog.malwarebytes.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Delete Defender Scan ShellEx Context Menu Registry Key

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
Status
experimental
Level
high
Type
Detection
Created
Wed Jul 09
Author
Matt Anderson (Huntress)
Path
rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub