1. Home
  2. ATT&CK Techniques
  3. T1564
  4. T1564.012
Stealth

T1564.012: File/Path Exclusions

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-b...

T1564.012 · Sub-technique ·3 platforms ·1 groups

Description

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)

Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.

Platforms

LinuxmacOSWindows

Mitigations (2)

Antivirus/AntimalwareM1049

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions)

Application Developer GuidanceM1013

Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.

Threat Groups (1)

IDGroupContext
G0010Turla[Turla](https://attack.mitre.org/groups/G0010) has placed [LunarWeb](https://attack.mitre.org/software/S1141) install files into directories that are ...

References

Frequently Asked Questions

What is T1564.012 (File/Path Exclusions)?

T1564.012 is a MITRE ATT&CK technique named 'File/Path Exclusions'. It belongs to the Stealth tactic(s). Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-b...

How can T1564.012 be detected?

Detection of T1564.012 (File/Path Exclusions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1564.012?

There are 2 documented mitigations for T1564.012. Key mitigations include: Antivirus/Antimalware, Application Developer Guidance.

Which threat groups use T1564.012?

Known threat groups using T1564.012 include: Turla.