T1679 Splunk · SPL

Detect Selective Exclusion in Splunk

This detection identifies adversaries employing selective exclusion during ransomware or destructive payload execution, where specific file extensions, directories, or system components are deliberately skipped to maintain system stability, evade detection, and ensure ransom delivery. Key indicators include script interpreter processes enumerating files with extensive system extension exclusion lists (.dll, .exe, .lnk, .sys, .msi), command-line arguments embedding regex patterns targeting multiple Windows critical extensions, explicit PowerShell exclusion operators (-notmatch, -notlike, -notcontains) filtering system file types, and mass file operation patterns that selectively skip binary and system formats. Ransomware families including Medusa, Embargo, and InvisibleFerret employ this technique to avoid system instability while maximizing encryption coverage, ensuring the victim endpoint remains operational enough to display ransom demands.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1679 Selective Exclusion
Canonical reference
https://attack.mitre.org/techniques/T1679/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe")
| eval cmd_lower=lower(CommandLine)
| eval has_exclusion_keyword=if(match(cmd_lower, "exclu|skip|avoid|ignore|bypass|-notmatch|-notlike|-notcontains"), 1, 0)
| eval dll_refs=mvcount(split(cmd_lower, ".dll")) - 1
| eval exe_refs=mvcount(split(cmd_lower, ".exe")) - 1
| eval sys_refs=mvcount(split(cmd_lower, ".sys")) - 1
| eval lnk_refs=mvcount(split(cmd_lower, ".lnk")) - 1
| eval msi_refs=mvcount(split(cmd_lower, ".msi")) - 1
| eval bat_refs=mvcount(split(cmd_lower, ".bat")) - 1
| eval drv_refs=mvcount(split(cmd_lower, ".drv")) - 1
| eval total_ext_refs=dll_refs + exe_refs + sys_refs + lnk_refs + msi_refs + bat_refs + drv_refs
| where total_ext_refs >= 3 OR has_exclusion_keyword=1
| eval risk_score=case(
    has_exclusion_keyword=1 AND total_ext_refs >= 4, "HIGH",
    has_exclusion_keyword=1 AND total_ext_refs >= 2, "MEDIUM",
    total_ext_refs >= 6, "MEDIUM",
    1=1, "LOW"
  )
| table _time, ComputerName, User, Image, CommandLine, ParentImage, ParentCommandLine, total_ext_refs, has_exclusion_keyword, risk_score
| sort - total_ext_refs
high severity medium confidence

Detects Sysmon process creation events where scripting interpreters execute with command lines containing multiple Windows system file extension references or explicit exclusion keywords/operators. Scores each detection by risk level based on extension reference count and presence of explicit exclusion operators to enable analyst prioritization.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup and archival scripts that enumerate file systems while explicitly skipping system binaries
  • Administrative PowerShell runbooks performing selective file operations during scheduled maintenance
  • Software deployment systems iterating target file types while filtering out executables and system libraries
  • Security tools performing selective file scanning or remediation workflows with extension-based scoping
  • Developer CI/CD pipeline scripts processing source files while skipping compiled binary outputs
Download portable Sigma rule (.yml)

Other platforms for T1679

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Selective File Exclusion with -notcontains Operator

    Expected signal: Sysmon EventCode=1 with Image ending in powershell.exe, CommandLine containing .dll, .exe, .lnk, .sys, .msi, .bat, .cmd, .ini, .url, .drv extensions and -notcontains operator

  2. Test 2Embargo-Style Regex-Based Extension Exclusion Pattern

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe, CommandLine containing regex pattern referencing dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com and -notmatch operator

  3. Test 3CMD Batch Script Selective File Targeting with Multiple IF NOT Conditions

    Expected signal: Sysmon EventCode=1 with Image=cmd.exe, CommandLine containing .dll, .exe, .sys, .lnk, .msi, .bat in multiple IF NOT conditional statements

  4. Test 4InvisibleFerret-Style Path and Extension Avoidance Enumeration

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe, CommandLine containing avoidExtensions array with 12 system extensions, avoidPaths array, -notcontains and -like operators, Get-ChildItem cmdlet

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1679 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1083File and Directory DiscoveryT1027Obfuscated Files or InformationT1222File and Directory Permissions Modification

Same Tactic: Defense Evasion

Popular Detections