T1564.012 File/Path Exclusions Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".ps1", ".vbs", ".hta", ".js", ".cmd", ".scr", ".msi", ".cpl", ".ocx"]);
let DefaultExclusionPaths = dynamic([
    "\\Windows\\Temp\\",
    "\\SoftwareDistribution\\",
    "\\Windows\\SoftwareDistribution\\",
    "\\AppData\\Local\\Temp\\",
    "\\Windows\\WinSxS\\",
    "\\inetpub\\logs\\",
    "\\Windows\\Logs\\",
    "\\ProgramData\\Microsoft\\Windows Defender\\"
]);
let LegitSystemDroppers = dynamic(["svchost.exe", "TrustedInstaller.exe", "wuauclt.exe", "msiexec.exe", "MsMpEng.exe", "WinDefend.exe", "WUDFHost.exe"]);
// Phase 1: Identify devices where exclusion registry keys were queried (adversary discovery)
let ExclusionDiscovery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "Windows Defender\\Exclusions\\Paths",
    "Windows Defender\\Exclusions\\Extensions",
    "Windows Defender\\Exclusions\\Processes",
    "Windows Defender\\Exclusions\\TemporaryPaths"
)
| where ActionType in ("RegistryKeyQueried", "RegistryValueRead")
| where InitiatingProcessFileName !in~ (LegitSystemDroppers)
| where InitiatingProcessFileName !in~ ("SecurityHealthService.exe", "SecurityHealthHost.exe")
| summarize DiscoveryTime=min(Timestamp), DiscoveryProcess=any(InitiatingProcessFileName), DiscoveryCmdLine=any(InitiatingProcessCommandLine) by DeviceName;
// Phase 2: Executable/script file creation in known default exclusion paths
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (DefaultExclusionPaths)
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName !in~ (LegitSystemDroppers)
| join kind=leftouter ExclusionDiscovery on DeviceName
| extend PrecededByDiscovery = isnotempty(DiscoveryTime) and (Timestamp - DiscoveryTime) between (0min .. 24h)
| extend ConfidenceLevel = iif(PrecededByDiscovery, "High", "Medium")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PrecededByDiscovery, DiscoveryProcess, DiscoveryCmdLine, ConfidenceLevel
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| eval TargetFilename_lower=lower(TargetFilename)
| eval isSuspiciousPath=if(
    match(TargetFilename_lower,
        "\\\\windows\\\\temp\\\\|\\\\softwaredistribution\\\\|\\\\windows\\\\winsxs\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\inetpub\\\\logs\\\\|\\\\windows\\\\logs\\\\"),
    1, 0)
| eval isSuspiciousExt=if(
    match(TargetFilename_lower,
        "\.exe$|\.dll$|\.bat$|\.ps1$|\.vbs$|\.hta$|\.js$|\.cmd$|\.scr$|\.msi$|\.cpl$|\.ocx$"),
    1, 0)
| eval isLegitProcess=if(
    match(lower(Image),
        "svchost\.exe$|trustedinstaller\.exe$|wuauclt\.exe$|msiexec\.exe$|msmpeng\.exe$|wudfhost\.exe$|windefend\.exe$"),
    1, 0)
| where isSuspiciousPath=1 AND isSuspiciousExt=1 AND isLegitProcess=0
| eval SuspicionScore=isSuspiciousPath + isSuspiciousExt
| eval FilenameOnly=mvindex(split(TargetFilename, "\\"), -1)
| table _time, host, User, Image, CommandLine, TargetFilename, FilenameOnly, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Sysmon Event ID 11 (FileCreate)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Windows Update agent writing packages to SoftwareDistribution — filter by Image matching wuauclt.exe or WUDFHost.exe
Software installers extracting components to %TEMP% during application setup — filter by msiexec.exe or signed installer parent processes
Security vendor self-updates writing new agent versions to self-excluded directories
Developer build pipelines outputting compiled artifacts to temp directories configured as AV exclusions
Enterprise management agents (SCCM, Intune MDM) staging software packages in excluded paths before deployment

Elastic Security (EQL)

eql

any where
  (event.category == "registry" and
   (registry.path : ("*\\Windows Defender\\Exclusions\\*",
                      "*\\Windows Defender\\Real-Time Protection\\*",
                      "*\\Microsoft Antimalware\\Exclusions\\*") or
    registry.path : ("*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*") and
    registry.value : ("*Exclusion*","DisableRealtimeMonitoring","*DisableAntiSpyware*"))) or
  (event.category == "process" and event.type == "start" and
   process.name : ("powershell.exe","pwsh.exe","cmd.exe") and
   process.args : ("*Add-MpPreference*","-ExclusionPath","-ExclusionExtension","-ExclusionProcess"))

high severity medium confidence

Data Sources

Windows Registry Events Windows Process Events

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-*

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetObject" as RegistryKey, "Image" as ProcessImage,
  "CommandLine" as CommandLine,
  CASE WHEN "TargetObject" ILIKE '%Windows Defender%Exclusions%Paths%' THEN 10
       WHEN "CommandLine" ILIKE '%Add-MpPreference%' THEN 9
       WHEN "TargetObject" ILIKE '%DisableRealtimeMonitoring%' THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE (
  (eventid IN (13,14) AND (
    "TargetObject" ILIKE '%Windows Defender%Exclusions%' OR
    "TargetObject" ILIKE '%DisableRealtimeMonitoring%' OR
    "TargetObject" ILIKE '%DisableAntiSpyware%'))
  OR (eventid IN (1, 4688) AND (
    "CommandLine" ILIKE '%Add-MpPreference%' AND
    ("CommandLine" ILIKE '%-ExclusionPath%' OR "CommandLine" ILIKE '%-ExclusionExtension%'
     OR "CommandLine" ILIKE '%-ExclusionProcess%')))
)
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("1","13","14")
| eval TargetLower = toLower(coalesce(TargetObject,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_exclusion_reg = if(EventID in ("13","14") AND (
    TargetLower matches ".*windows defender.*exclusions.*" OR
    TargetLower matches ".*(disablerealtimemonitoring|disableantispyware).*"), 1, 0)
| eval is_exclusion_cmd = if(EventID == "1" AND
    CmdLower matches ".*add-mppreference.*" AND
    CmdLower matches ".*(-exclusionpath|-exclusionextension|-exclusionprocess).*", 1, 0)
| where is_exclusion_reg == 1 OR is_exclusion_cmd == 1
| eval detection_type = if(is_exclusion_reg == 1, "Registry_AV_Exclusion", "PowerShell_AV_Exclusion")
| table _time, Computer, User, Image, CommandLine, TargetObject, detection_type
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

Google Chronicle / SecOps

yaral

rule av_exclusion_addition {
  meta:
    author = "Detection Engineering"
    description = "Detects AV/EDR exclusion additions (T1564.012)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)Windows Defender.*(Exclusions|Real-Time Protection)`) nocase or
      re.regex($e.target.registry.registry_key, `(?i)(DisableRealtimeMonitoring|DisableAntiSpyware)`) nocase
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Registry Events via Chronicle UDM

Required Tables

REGISTRY_MODIFICATION

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(powershell|pwsh)\.exe$/i AND
   CommandLine = /Add-MpPreference/i AND
   CommandLine = /(-ExclusionPath|-ExclusionExtension|-ExclusionProcess)/i)
  OR (ImageFileName = /RegAsm|reg\.exe$/i AND
      CommandLine = /(Windows Defender.*Exclusions|DisableRealtimeMonitoring)/i)
| eval risk = "high"
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution

File/Path Exclusions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections