T1564.012 File/Path Exclusions
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.
Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.
| Item |
Value |
| ID |
T1564.012 |
| Sub-techniques |
T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010, T1564.011, T1564.012, T1564.013, T1564.014 |
| Tactics |
TA0005 |
| Platforms |
Linux, Windows, macOS |
| Version |
1.0 |
| Created |
29 March 2024 |
| Last Modified |
15 April 2025 |
Procedure Examples
| ID |
Name |
Description |
| G0010 |
Turla |
Turla has placed LunarWeb install files into directories that are excluded from scanning. |
Mitigations
| ID |
Mitigation |
Description |
| M1049 |
Antivirus/Antimalware |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible. |
| M1013 |
Application Developer Guidance |
Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions. |
References