Selective Exclusion
This detection identifies adversaries employing selective exclusion during ransomware or destructive payload execution, where specific file extensions, directories, or system components are deliberately skipped to maintain system stability, evade detection, and ensure ransom delivery. Key indicators include script interpreter processes enumerating files with extensive system extension exclusion lists (.dll, .exe, .lnk, .sys, .msi), command-line arguments embedding regex patterns targeting multiple Windows critical extensions, explicit PowerShell exclusion operators (-notmatch, -notlike, -notcontains) filtering system file types, and mass file operation patterns that selectively skip binary and system formats. Ransomware families including Medusa, Embargo, and InvisibleFerret employ this technique to avoid system instability while maximizing encryption coverage, ensuring the victim endpoint remains operational enough to display ransom demands.
What is T1679 Selective Exclusion?
Selective Exclusion (T1679) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.
This page provides production-ready detection logic for Selective Exclusion, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1679 Selective Exclusion
- Canonical reference
- https://attack.mitre.org/techniques/T1679/
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "cmd.exe", "mshta.exe")
| where ProcessCommandLine matches regex @"(?i)(\.(dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com).*){3,}"
or ProcessCommandLine matches regex @"(?i)(exclu|skip|avoid|ignore|bypass).{0,60}\.(dll|exe|lnk|sys|msi)"
or ProcessCommandLine matches regex @"(?i)(-notmatch|-notlike|-notcontains|-notin|-ne).{0,80}\.(dll|exe|lnk|sys)"
| extend ExtensionCount = array_length(extract_all(@"(?i)\.(dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com)", ProcessCommandLine))
| where ExtensionCount >= 3
| extend ExclusionIndicatorType = case(
ProcessCommandLine matches regex @"(?i)(exclu|skip|avoid|ignore|bypass)", "ExplicitExclusionKeyword",
ProcessCommandLine matches regex @"(?i)(-notmatch|-notlike|-notcontains|-notin)", "PowerShellExclusionOperator",
ProcessCommandLine matches regex @"(?i)(\.(dll|exe|lnk|sys|msi).*){4,}", "MultipleSystemExtensions",
"Other"
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExtensionCount, ExclusionIndicatorType
| order by ExtensionCount descDetects scripting interpreter processes (PowerShell, WScript, CScript, CMD, MSHTA) executing with command-line arguments containing three or more Windows system file extensions (.dll, .exe, .lnk, .sys, .msi, etc.) or explicit exclusion keywords and operators, indicative of ransomware selective exclusion logic executed via script. Classifies detections by exclusion indicator type for analyst triage prioritization.
Data Sources
Required Tables
False Positives
- Legitimate backup agent scripts (Veeam, Commvault, Veritas) that enumerate file systems while excluding binary extensions from backup scope
- Software deployment automation (SCCM, PDQ Deploy, Ansible) that iterates files while targeting specific document types and skipping executables
- IT administration PowerShell scripts performing selective file operations during maintenance windows
- Security scanner scripts that explicitly exclude certain file types from scanning scope to reduce load
- Developer build and packaging scripts that process source files while explicitly skipping compiled outputs (.exe, .dll)
Sigma rule & cross-platform mapping
The detection logic for Selective Exclusion (T1679) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for T1679
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Selective File Exclusion with -notcontains Operator
Expected signal: Sysmon EventCode=1 with Image ending in powershell.exe, CommandLine containing .dll, .exe, .lnk, .sys, .msi, .bat, .cmd, .ini, .url, .drv extensions and -notcontains operator
- Test 2Embargo-Style Regex-Based Extension Exclusion Pattern
Expected signal: Sysmon EventCode=1 with Image=powershell.exe, CommandLine containing regex pattern referencing dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com and -notmatch operator
- Test 3CMD Batch Script Selective File Targeting with Multiple IF NOT Conditions
Expected signal: Sysmon EventCode=1 with Image=cmd.exe, CommandLine containing .dll, .exe, .sys, .lnk, .msi, .bat in multiple IF NOT conditional statements
- Test 4InvisibleFerret-Style Path and Extension Avoidance Enumeration
Expected signal: Sysmon EventCode=1 with Image=powershell.exe, CommandLine containing avoidExtensions array with 12 system extensions, avoidPaths array, -notcontains and -like operators, Get-ChildItem cmdlet
Unlock Pro Content
Get the full detection package for T1679 including response playbook, investigation guide, and atomic red team tests.