DET0897 Detection of Selective Exclusion

Item	Value
ID	DET0897
Version	1.0
Created	23 October 2025
Last Modified	12 November 2025

Technique Detected: T1679 (Selective Exclusion)

Analytics

Windows

AN2030

A process with no prior history or outside of known whitelisted tools initiates file or registry modifications to configure exclusion rules for antivirus, backup, or file-handling systems. Or a file system enumeration for specific file names andcritical extensions like .dll, .exe, .sys, or specific directories such as ‘Program Files’ or security tool paths or system component discovery for the exclusion of the files or components.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
File Modification (DC0061)	WinEventLog:Security	EventCode=4663, 4670, 4656

Mutable Elements

Field	Description
TimeWindow	Correlate multiply discovery activities and file enumeration activities.
DiscoveryActivityThreshold	Minimum number of different discovery techniques within time window to trigger detection - balance between false positives and coverage (default: 4 activities)
ExclusionTargetList	List of extensions or folders considered suspicious when excluded (e.g., .dll, .exe, C:\Program Files\)
AuthorizedExclusionModifiers	Whitelist of known system management tools/processes allowed to modify exclusion settings