Windows Defender Context Menu Removed

title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
    - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
      type: similar
status: experimental
description: |
    Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
    This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
    Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_action:
        CommandLine|contains:
            - 'del'
            - 'Remove-Item'
            - 'ri '
    selection_reg_path:
        CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
    condition: all of selection_*
falsepositives:
    - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high