Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0051: Detection Strategy for File/Path Exclusions

DET0051 is a MITRE detection strategy tied to File/Path Exclusions, a stealth behavior where adversaries may place file-based artifacts in locations or nam...

EnterpriseDET0051Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0051 is a MITRE detection strategy tied to File/Path Exclusions, a stealth behavior where adversaries may place file-based artifacts in locations or names that antivirus or other file-scanning controls exclude. For leaders, the practical issue is not only malware detection; it is whether security exceptions created for performance or application compatibility have become ungoverned hiding places that weaken SOC and incident response visibility.

Executive priority

Treat file and path exclusions as a control-governance and evidence problem. Security leaders should ask who approves exclusions, whether they are periodically reviewed, and whether SOC/IR teams can see when excluded locations are used in suspicious ways. This matters for operational resilience, audit readiness, and vulnerability/control prioritization because overly broad or undocumented exclusions can reduce the value of endpoint protection across Linux, macOS, and Windows environments associated with the related ATT&CK technique.

Technical view

MITRE provides no official description or detection logic for DET0051, so defenders should derive validation from the related technique T1564.012. SOC and detection teams should confirm they can inventory AV/file-scanner exclusions, monitor changes to those exclusions where logs are available, and correlate file creation, modification, execution, or persistence activity occurring under excluded paths or names. Incident responders should include exclusion review in triage when artifacts are missing from scanner alerts or when suspicious files appear in locations expected to be ignored by defensive tooling.

Likely telemetry

  • Endpoint protection or antivirus configuration records showing file, folder, or path exclusions
  • Endpoint security management console audit logs for exclusion creation, modification, or removal
  • File creation, modification, rename, and execution telemetry from Linux, macOS, and Windows endpoints where available
  • Process execution telemetry showing binaries launched from excluded paths or with excluded file names
  • Administrative change logs identifying users, tools, or management systems that altered security exclusions

Detection direction

  • Baseline approved exclusions and alert on new, broadened, or undocumented exclusions, especially wildcard-like or high-level directory patterns if visible in available telemetry.
  • Correlate suspicious file or process activity with known excluded paths rather than relying only on AV detections, because the related behavior is specifically about avoiding file-based scanning.
  • Tune detections against legitimate software installation, performance, and compatibility exclusions to reduce false positives; require change context such as ticket, owner, business justification, and endpoint scope where available.
  • Validate whether endpoint telemetry still records file and process events inside excluded locations; some organizations may have scanner exclusions but still retain EDR or OS-level evidence.
  • During IR, compare observed artifact locations with configured exclusions to explain missing alerts and to identify potentially abused exception paths.

Mitigation priorities

  • Establish ownership, approval, expiration, and periodic review for AV and file-scanner exclusions.
  • Reduce broad or inherited exclusions where business operations allow, prioritizing exclusions that affect many systems or sensitive server/workstation groups.
  • Maintain an authoritative inventory of exclusions and make it available to SOC, IR, compliance, and endpoint engineering teams.
  • Ensure compensating visibility, such as file/process telemetry or configuration audit logs, remains available for excluded locations.
  • Include exclusion review in endpoint hardening, compliance evidence collection, and post-incident control validation.
Analyst notes and limits

This take is based on the DET0051 detection strategy metadata and its relationship to ATT&CK technique T1564.012, File/Path Exclusions. Because the detection strategy has no official MITRE description, detection text, tactics, or platforms specified, the practical guidance is framed around the related technique’s stated behavior and platforms.

No official DET0051 detection logic or platform list was supplied. Local endpoint product capabilities, logging configuration, exclusion policy design, and business-approved software requirements are required to determine actual coverage and tuning.

Official MITRE ATT&CK definition

Detection Strategy for File/Path Exclusions

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.012 File/Path Exclusions Sub-technique This object detects File/Path Exclusions.
Relationship explorer

All related ATT&CK context

detects · Technique T1564.012: File/Path Exclusions Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
010937bb3029f8f3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 010937bb3029…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0051
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use