may be part of a system customization or \"debloating\" script, but this is highly unusual in a managed corporate environment.

t1562
t1562.001
windows
sigma

Techniques

t1562
t1562.001

Sample rules

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the “Scan with Microsoft Defender” option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.

Detection logic

condition: all of selection_*
selection_action:
  CommandLine|contains:
  - del
  - Remove-Item
  - 'ri '
selection_img:
- Image|endswith:
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
  - \reg.exe
- OriginalFileName:
  - powershell_ise.EXE
  - PowerShell.EXE
  - pwsh.dll
  - reg.exe
selection_reg_path:
  CommandLine|contains: \shellex\ContextMenuHandlers\EPP

LoFP / may be part of a system customization or \"debloating\" script, but this is highly unusual in a managed corporate environment.

Techniques

Sample rules

Windows Defender Context Menu Removed

Description

Detection logic