title: Selective Exclusion (T1679)
id: df00tech-t1679
status: experimental
description: "This detection identifies adversaries employing selective exclusion during ransomware or destructive payload execution, where specific file extensions, directories, or system components are deliberately skipped to maintain system stability, evade detection, and ensure ransom delivery. Key indicators include script interpreter processes enumerating files with extensive system extension exclusion lists (.dll, .exe, .lnk, .sys, .msi), command-line arguments embedding regex patterns targeting multiple Windows critical extensions, explicit PowerShell exclusion operators (-notmatch, -notlike, -notcontains) filtering system file types, and mass file operation patterns that selectively skip binary and system formats. Ransomware families including Medusa, Embargo, and InvisibleFerret employ this technique to avoid system instability while maximizing encryption coverage, ensuring the victim endpoint remains operational enough to display ransom demands."
references:
  - https://attack.mitre.org/techniques/T1679/
  - https://df00tech.com/detections/T1679
author: df00tech
date: 2026/03/20
tags:
  - attack.t1679
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate backup agent scripts (Veeam, Commvault, Veritas) that enumerate file systems while excluding binary extensions from backup scope"
  - "Software deployment automation (SCCM, PDQ Deploy, Ansible) that iterates files while targeting specific document types and skipping executables"
  - IT administration PowerShell scripts performing selective file operations during maintenance windows
  - Security scanner scripts that explicitly exclude certain file types from scanning scope to reduce load
  - "Developer build and packaging scripts that process source files while explicitly skipping compiled outputs (.exe, .dll)"
level: high