T1564.012 Splunk · SPL

Detect File/Path Exclusions in Splunk

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual or hardcoded strings referencing specific folders and files assumed to be trusted. Adversaries typically perform a discovery phase first — enumerating existing exclusion paths via registry queries or Get-MpPreference — then stage payloads precisely in those excluded locations to bypass real-time scanning. Turla has been documented placing LunarWeb implant files in AV-excluded directories as part of long-term persistence operations against diplomatic targets.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.012 File/Path Exclusions
Canonical reference
https://attack.mitre.org/techniques/T1564/012/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| eval TargetFilename_lower=lower(TargetFilename)
| eval isSuspiciousPath=if(
    match(TargetFilename_lower,
        "\\\\windows\\\\temp\\\\|\\\\softwaredistribution\\\\|\\\\windows\\\\winsxs\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\inetpub\\\\logs\\\\|\\\\windows\\\\logs\\\\"),
    1, 0)
| eval isSuspiciousExt=if(
    match(TargetFilename_lower,
        "\.exe$|\.dll$|\.bat$|\.ps1$|\.vbs$|\.hta$|\.js$|\.cmd$|\.scr$|\.msi$|\.cpl$|\.ocx$"),
    1, 0)
| eval isLegitProcess=if(
    match(lower(Image),
        "svchost\.exe$|trustedinstaller\.exe$|wuauclt\.exe$|msiexec\.exe$|msmpeng\.exe$|wudfhost\.exe$|windefend\.exe$"),
    1, 0)
| where isSuspiciousPath=1 AND isSuspiciousExt=1 AND isLegitProcess=0
| eval SuspicionScore=isSuspiciousPath + isSuspiciousExt
| eval FilenameOnly=mvindex(split(TargetFilename, "\\"), -1)
| table _time, host, User, Image, CommandLine, TargetFilename, FilenameOnly, SuspicionScore
| sort - _time
high severity medium confidence

Detects executable and script file creation in known Windows Defender default exclusion paths using Sysmon EventCode 11 (FileCreate). Evaluates each file creation event against a list of suspicious paths and extensions, excluding known legitimate system droppers (Windows Update, TrustedInstaller, MSI engine). SuspicionScore provides prioritization. For the adversary discovery phase (registry queries of exclusion keys), supplement this query with Security Event ID 4657 (if object access auditing is enabled on the Defender exclusion registry keys) or use Microsoft Defender for Endpoint DeviceRegistryEvents in the KQL variant of this detection.

Data Sources

File: File CreationSysmon Event ID 11 (FileCreate)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Windows Update agent writing packages to SoftwareDistribution — filter by Image matching wuauclt.exe or WUDFHost.exe
  • Software installers extracting components to %TEMP% during application setup — filter by msiexec.exe or signed installer parent processes
  • Security vendor self-updates writing new agent versions to self-excluded directories
  • Developer build pipelines outputting compiled artifacts to temp directories configured as AV exclusions
  • Enterprise management agents (SCCM, Intune MDM) staging software packages in excluded paths before deployment
Download portable Sigma rule (.yml)

Other platforms for T1564.012

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Windows Defender Exclusion Paths via Registry Query

    Expected signal: Security Event ID 4657 (if SACL auditing is configured on Defender exclusion keys): ObjectName matching 'Windows Defender\Exclusions', ProcessName=reg.exe. DeviceRegistryEvents in MDE: ActionType=RegistryKeyQueried, RegistryKey containing 'Windows Defender\Exclusions', InitiatingProcessFileName=reg.exe. Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Windows Defender\Exclusions\Paths'.

  2. Test 2Enumerate Defender Exclusions via PowerShell Get-MpPreference and Stage Payload

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-MpPreference'. PowerShell ScriptBlock Log Event ID 4104: Full script captured including Get-MpPreference call and Set-Content file write. DeviceRegistryEvents in MDE: RegistryValueRead on Defender exclusion paths by powershell.exe. Sysmon Event ID 11: FileCreate for argus-t1564012-test.ps1 in the exclusion path with Image=powershell.exe.

  3. Test 3Stage Executable Payload in Windows SoftwareDistribution (Default AV Exclusion)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\Windows\SoftwareDistribution\argus-t1564012-payload.exe and Image=cmd.exe. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath containing 'SoftwareDistribution', FileName=argus-t1564012-payload.exe, InitiatingProcessFileName=cmd.exe. SHA256 will match notepad.exe (benign hash) but the location is anomalous — demonstrates why path-based detection is essential for this technique.

  4. Test 4Execute Staged Payload from Exclusion Path (Full Attack Chain Validation)

    Expected signal: Sysmon Event ID 11: FileCreate for argus-t1564012-exec.ps1 in C:\Windows\Temp with Image=cmd.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine referencing C:\Windows\Temp\argus-t1564012-exec.ps1, ParentImage=cmd.exe. PowerShell ScriptBlock Log Event ID 4104: Captures the script content. DeviceProcessEvents in MDE: FolderPath=C:\Windows\Temp, FileName=powershell.exe, ProcessCommandLine containing 'argus-t1564012-exec.ps1'.

Last updated: 2026-03-12 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1564.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1562.001Disable or Modify ToolsT1518.001Security Software DiscoveryT1027Obfuscated Files or InformationT1105Ingress Tool TransferT1059.001PowerShellT1059.003Windows Command ShellT1543.003Windows ServiceT1053.005Scheduled Task

Same Tactic: Defense Evasion

Popular Detections