DET0897: Detection of Selective Exclusion
Selective exclusion matters because ransomware or destructive payloads may deliberately skip certain files or system components to stay stable, reduce user...
Analyst context for executives and security teams
Selective exclusion matters because ransomware or destructive payloads may deliberately skip certain files or system components to stay stable, reduce user-visible disruption, or avoid obvious security triggers while still causing business harm. This detection strategy object has no official MITRE detection text, so its value is mainly as a prompt to validate whether defenders can recognize suspicious exclusion patterns around malicious encryption or tampering activity.
Executive priority
Treat this as a resilience and incident-readiness question: during a ransomware investigation, can the organization prove what was touched, what was skipped, and whether exclusions indicate stealth rather than benign application behavior? Leaders should prioritize evidence collection on Windows endpoints, investigation playbooks for ransomware-like activity, and audit-ready logging that supports containment and recovery decisions.
Technical view
DET0897 is a detection strategy for T1679 Selective Exclusion, a Windows-related stealth technique. Because ATT&CK provides no official detection logic for this strategy, SOC and IR teams should validate coverage by looking for abnormal file-operation patterns where a process encrypts, modifies, or tampers with many files while consistently avoiding specific extensions, directories, or system components such as executable or link-related file types referenced in the related technique description. Detection should be correlated with process lineage, command-line context, file write/rename activity, and endpoint security events rather than relying on file exclusions alone.
Likely telemetry
- Endpoint file creation, modification, rename, and deletion events
- Process execution and parent-child process telemetry
- Command-line arguments and script execution logs where available
- Endpoint detection and response alerts tied to ransomware-like file activity
- Windows host logs and security product telemetry relevant to file tampering
Detection direction
- Validate whether current endpoint telemetry can show both affected and intentionally skipped file types or directories during high-volume file activity.
- Tune for suspicious consistency: repeated avoidance of selected extensions, folders, or system components by the same process or process tree during encryption-like behavior.
- Correlate exclusion patterns with ransomware indicators such as mass file modification, unusual process lineage, or tampering behavior to reduce false positives from legitimate backup, indexing, patching, or administrative tools.
- Confirm incident responders can reconstruct file activity timelines on Windows systems, since the related ATT&CK technique lists Windows as the platform.
- Document blind spots where file telemetry is sampled, disabled, retained too briefly, or unavailable on high-value endpoints.
Mitigation priorities
- Prioritize endpoint logging and retention sufficient to support ransomware investigations and recovery scoping.
- Harden and monitor security controls that protect endpoint telemetry from tampering or loss.
- Maintain baselines for normal high-volume file operations by backup, update, indexing, and administrative tools so unusual exclusion behavior is easier to triage.
- Ensure ransomware response playbooks include analysis of skipped files and directories, not only encrypted or modified files.
- Use tabletop or detection-validation exercises to confirm SOC and IR teams can identify selective exclusion patterns without relying on a vendor-specific analytic.
Analyst notes and limits
The supplied ATT&CK detection strategy is sparse: it has a name and relationship to T1679 but no official description, detection guidance, tactics, or platforms of its own. The practical interpretation comes from the relationship to Selective Exclusion, whose supplied context describes adversaries excluding files, folders, directories, file types, or system components from encryption or tampering during ransomware or malicious payload execution.
This take does not assert active exploitation, actor attribution, guaranteed detectability, or environment-specific exposure. Local validation is required to determine whether the organization collects the necessary endpoint and file telemetry, how long it is retained, and how legitimate administrative or backup behavior may resemble selective exclusion.
Detection of Selective Exclusion
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1679 | Selective Exclusion | This object detects Selective Exclusion. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 280769138760… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0897Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.