Delete Defender Scan ShellEx Context Menu Registry Key

Severity: medium
Author: Matt Anderson (Huntress)
Source: upstream

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Event coverage

Provider	Event ID	Title
Sysmon	14	RegistryEvent (Key and Value Rename)

Stages and Predicates

Stage 1: `selection`

TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'

Stage 2: `not 1 of filter_main_defender`

or:
Image|startswith: 'C:\Program Files (x86)\Windows Defender\'
Image|startswith: 'C:\Program Files\Windows Defender\'
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\MsMpEng.exe` corpus 13 (sigma 13)
`Image`	starts_with	`C:\Program Files (x86)\Windows Defender\` corpus 5 (sigma 5) `C:\Program Files\Windows Defender\` corpus 5 (sigma 5) `C:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 7 (sigma 7)
`TargetObject`	match	`shellex\ContextMenuHandlers\EPP`