Detect File/Path Exclusions in Microsoft Sentinel
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual or hardcoded strings referencing specific folders and files assumed to be trusted. Adversaries typically perform a discovery phase first — enumerating existing exclusion paths via registry queries or Get-MpPreference — then stage payloads precisely in those excluded locations to bypass real-time scanning. Turla has been documented placing LunarWeb implant files in AV-excluded directories as part of long-term persistence operations against diplomatic targets.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.012 File/Path Exclusions
- Canonical reference
- https://attack.mitre.org/techniques/T1564/012/
KQL Detection Query
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".ps1", ".vbs", ".hta", ".js", ".cmd", ".scr", ".msi", ".cpl", ".ocx"]);
let DefaultExclusionPaths = dynamic([
"\\Windows\\Temp\\",
"\\SoftwareDistribution\\",
"\\Windows\\SoftwareDistribution\\",
"\\AppData\\Local\\Temp\\",
"\\Windows\\WinSxS\\",
"\\inetpub\\logs\\",
"\\Windows\\Logs\\",
"\\ProgramData\\Microsoft\\Windows Defender\\"
]);
let LegitSystemDroppers = dynamic(["svchost.exe", "TrustedInstaller.exe", "wuauclt.exe", "msiexec.exe", "MsMpEng.exe", "WinDefend.exe", "WUDFHost.exe"]);
// Phase 1: Identify devices where exclusion registry keys were queried (adversary discovery)
let ExclusionDiscovery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
"Windows Defender\\Exclusions\\Paths",
"Windows Defender\\Exclusions\\Extensions",
"Windows Defender\\Exclusions\\Processes",
"Windows Defender\\Exclusions\\TemporaryPaths"
)
| where ActionType in ("RegistryKeyQueried", "RegistryValueRead")
| where InitiatingProcessFileName !in~ (LegitSystemDroppers)
| where InitiatingProcessFileName !in~ ("SecurityHealthService.exe", "SecurityHealthHost.exe")
| summarize DiscoveryTime=min(Timestamp), DiscoveryProcess=any(InitiatingProcessFileName), DiscoveryCmdLine=any(InitiatingProcessCommandLine) by DeviceName;
// Phase 2: Executable/script file creation in known default exclusion paths
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (DefaultExclusionPaths)
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName !in~ (LegitSystemDroppers)
| join kind=leftouter ExclusionDiscovery on DeviceName
| extend PrecededByDiscovery = isnotempty(DiscoveryTime) and (Timestamp - DiscoveryTime) between (0min .. 24h)
| extend ConfidenceLevel = iif(PrecededByDiscovery, "High", "Medium")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
PrecededByDiscovery, DiscoveryProcess, DiscoveryCmdLine, ConfidenceLevel
| sort by Timestamp descDetects executable and script files dropped into known Windows Defender default exclusion paths such as SoftwareDistribution, Windows\Temp, and WinSxS by non-system processes. Correlates file creation events (DeviceFileEvents) with prior registry reads of Defender exclusion configuration keys (DeviceRegistryEvents), surfacing a ConfidenceLevel of High when both phases are observed on the same device within 24 hours. The PrecededByDiscovery boolean field flags the highest-priority events where adversary exclusion enumeration directly preceded payload staging.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles
- Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\Temp during installation sequences
- Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
- Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds
- SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution
Other platforms for T1564.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Defender Exclusion Paths via Registry Query
Expected signal: Security Event ID 4657 (if SACL auditing is configured on Defender exclusion keys): ObjectName matching 'Windows Defender\Exclusions', ProcessName=reg.exe. DeviceRegistryEvents in MDE: ActionType=RegistryKeyQueried, RegistryKey containing 'Windows Defender\Exclusions', InitiatingProcessFileName=reg.exe. Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Windows Defender\Exclusions\Paths'.
- Test 2Enumerate Defender Exclusions via PowerShell Get-MpPreference and Stage Payload
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-MpPreference'. PowerShell ScriptBlock Log Event ID 4104: Full script captured including Get-MpPreference call and Set-Content file write. DeviceRegistryEvents in MDE: RegistryValueRead on Defender exclusion paths by powershell.exe. Sysmon Event ID 11: FileCreate for argus-t1564012-test.ps1 in the exclusion path with Image=powershell.exe.
- Test 3Stage Executable Payload in Windows SoftwareDistribution (Default AV Exclusion)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\Windows\SoftwareDistribution\argus-t1564012-payload.exe and Image=cmd.exe. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath containing 'SoftwareDistribution', FileName=argus-t1564012-payload.exe, InitiatingProcessFileName=cmd.exe. SHA256 will match notepad.exe (benign hash) but the location is anomalous — demonstrates why path-based detection is essential for this technique.
- Test 4Execute Staged Payload from Exclusion Path (Full Attack Chain Validation)
Expected signal: Sysmon Event ID 11: FileCreate for argus-t1564012-exec.ps1 in C:\Windows\Temp with Image=cmd.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine referencing C:\Windows\Temp\argus-t1564012-exec.ps1, ParentImage=cmd.exe. PowerShell ScriptBlock Log Event ID 4104: Captures the script content. DeviceProcessEvents in MDE: FolderPath=C:\Windows\Temp, FileName=powershell.exe, ProcessCommandLine containing 'argus-t1564012-exec.ps1'.
References (9)
- https://attack.mitre.org/techniques/T1564/012/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus
- https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
- https://www.welivesecurity.com/en/eset-research/turla-lunar-toolset/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.012/T1564.012.md
- https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
Unlock Pro Content
Get the full detection package for T1564.012 including response playbook, investigation guide, and atomic red team tests.