Description
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include .dll, .exe, and .lnk.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024)
Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice.
Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals.
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has avoided interacting with specific directories in order to reduce the likelihood of detecti... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S9039 | LazyWiper | Malware | [LazyWiper](https://attack.mitre.org/software/S9039) can enumerate the hostname of the system to determine if it is a domain controller and exclude it... |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has avoided specified files, file extensions and folders to ensure successful execution o... |
| S9038 | DynoWiper | Malware | [DynoWiper](https://attack.mitre.org/software/S9038) has recursively enumerated directories with the exception of the following: System32, Windows, Pr... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has the capability to scan for file names, file extensions, and avoids pre-designated path ... |
| S1247 | Embargo | Malware | [Embargo](https://attack.mitre.org/software/S1247) has avoided encrypting specific files and directories by leveraging a regular expression within the... |
| S9030 | SameCoin | Malware | [SameCoin](https://attack.mitre.org/software/S9030) can avoid overwriting file names that contain “desktop.ini” and “conf.conf." (Citation: Check Poin... |
References
Frequently Asked Questions
What is T1679 (Selective Exclusion)?
T1679 is a MITRE ATT&CK technique named 'Selective Exclusion'. It belongs to the Stealth tactic(s). Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file e...
How can T1679 be detected?
Detection of T1679 (Selective Exclusion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1679?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1679?
Known threat groups using T1679 include: VOID MANTICORE.