Delete Defender Scan ShellEx Context Menu Registry Key

Rule Info

Name
Delete Defender Scan ShellEx Context Menu Registry Key
Author
Matt Anderson (Huntress)
Description
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Reference
https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
Date
2025-07-11 00:00:00
Modified
2025-10-07 00:00:00
Id
72a0369a-2576-4aaf-bfc9-6bb24a574ac6
Tags
attack.defense-impairment
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=72a0369a-2576-4aaf-bfc9-6bb24a574ac6

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
phantinuss
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09
b242175fe
Matt Anderson
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28
af492dc0f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022