title: File/Path Exclusions (T1564.012)
id: df00tech-t1564-012
status: experimental
description: Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual or hardcoded strings referencing specific folders and files assumed to be trusted. Adversaries typically perform a discovery phase first — enumerating existing exclusion paths via registry queries or Get-MpPreference — then stage payloads precisely in those excluded locations to bypass real-time scanning. Turla has been documented placing LunarWeb implant files in AV-excluded directories as part of long-term persistence operations against diplomatic targets.
references:
  - https://attack.mitre.org/techniques/T1564/012/
  - https://df00tech.com/detections/T1564.012
author: df00tech
date: 2026/03/12
tags:
  - attack.t1564.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Windows Update agent (wuauclt.exe, WUDFHost.exe) legitimately writes executables and packages to SoftwareDistribution during patch download cycles"
  - "Software installers (msiexec.exe) extracting temporary payload files to %TEMP% or %LOCALAPPDATA%\\Temp during installation sequences"
  - Security vendors and EDR agents writing their own components to directories they have self-excluded for performance — especially during product updates
  - "Developer CI/CD pipelines and build tools that output compiled binaries to %TEMP% directories configured as AV exclusions to speed up builds"
  - SCCM or Intune distribution agents staging software packages in excluded directories before deployment execution
level: high