Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0139: Analytic 0139

Creation or modification of files in directories known to be excluded from AV scanning (e.g., C:\Windows\Temp, Exchange server directories, or default AV exclusions). Defender perspective: correlate file creation with execution behavior or anomalous parent processes writing to excluded paths.

EnterpriseAN0139AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because files written into antivirus-excluded Windows locations can bypass an important layer of endpoint inspection. For leaders, the practical question is not whether these paths exist—they often do for performance or application compatibility—but whether the organization can see and investigate suspicious file creation, modification, and follow-on execution in those locations.

Executive priority

Prioritize validation where excluded directories overlap with critical Windows systems, Exchange server directories, or other business-critical workloads. This behavior creates a control assurance issue: AV exclusions may be operationally necessary, but they should not become unmonitored blind spots. Executives should ask for evidence that endpoint, file, and process telemetry still supports incident response in excluded paths.

Technical view

For Windows environments, validate monitoring for creation or modification of files in directories known to be excluded from AV scanning, such as C:\Windows\Temp, Exchange server directories, or default AV exclusions. Detection value improves when file-write events are correlated with execution behavior and with anomalous parent processes writing into excluded paths. Because no ATT&CK detection text or relationship context is supplied beyond the analytic description, teams should treat this as a coverage-validation analytic rather than a complete detection rule.

Likely telemetry

  • Windows file creation and file modification events for known AV-excluded paths
  • Endpoint process creation telemetry showing execution from or interaction with excluded directories
  • Parent-child process context for processes writing to excluded paths
  • Endpoint security configuration or inventory data identifying AV exclusion paths
  • Server-specific file activity telemetry for Exchange directories where applicable

Detection direction

  • Build or validate an inventory of AV-excluded directories before alerting; unknown or stale exclusion lists are a major blind spot.
  • Correlate file writes in excluded paths with subsequent execution, unusual parent processes, or unexpected accounts to reduce noise.
  • Tune for legitimate operational activity in Windows temporary directories and server application directories, which may generate high-volume benign file writes.
  • Validate visibility remains present even when AV scanning is excluded; the analytic depends on telemetry outside the AV scan decision itself.
  • Review Exchange server directory monitoring separately if present, because business-critical server workloads may require exclusions but still need strong auditability.

Mitigation priorities

  • Govern AV exclusions through documented approval, ownership, and periodic review.
  • Minimize exclusions to the narrowest required paths and systems consistent with operational needs.
  • Ensure endpoint and logging controls continue to collect file and process telemetry for excluded paths.
  • Use incident response runbooks that require analysts to check excluded directories when investigating suspicious execution or anomalous process behavior.
  • Maintain compliance evidence showing why exclusions exist, when they were reviewed, and what compensating monitoring is in place.
Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied ATT&CK fields specify Windows as the platform and describe file creation or modification in directories excluded from AV scanning. No tactics, relationships, labels, aliases, or formal detection content are supplied, so the take emphasizes validation of telemetry, exclusion governance, and correlation logic rather than mapping to a specific intrusion phase.

The source object provides no official detection query, no relationship context, and no tactics. Local AV exclusion configuration, endpoint logging coverage, and server application architecture are required to determine fidelity and operational risk. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0139

Creation or modification of files in directories known to be excluded from AV scanning (e.g., C:\Windows\Temp, Exchange server directories, or default AV exclusions). Defender perspective: correlate file creation with execution behavior or anomalous parent processes writing to excluded paths.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0bbbd51a84069efa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0bbbd51a8406…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0139
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use