Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1564.012: File/Path Exclusions

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.[1]

Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.

EnterpriseT1564.012Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

File/Path Exclusions matters because attackers may place malware or other file-based artifacts in locations that security tools already trust or skip for performance and compatibility reasons. For leaders, the risk is not just “malware hiding on disk”; it is a control-assurance problem: endpoint protection may be present, but exclusions can create quiet gaps in prevention, detection, investigation, and audit evidence across Linux, macOS, and Windows environments.

Executive priority

Treat AV and file-scanning exclusions as a governed security exception process, not a background configuration detail. Security leaders should ask who owns exclusion approval, how default or vendor-recommended exclusions are reviewed, whether high-risk systems have different standards, and whether SOC/IR teams can see files created or executed from excluded paths. This technique is especially relevant to operational resilience because it can reduce confidence in endpoint detections during an incident without requiring the adversary to directly disable the tool.

Technical view

ATT&CK defines this as a stealth sub-technique of Hide Artifacts for Linux, macOS, and Windows. The key validation question for SOC and IR teams is whether they can identify suspicious file creation, execution, or staging in paths or filenames that are excluded from antivirus or other file-based scanning. Because no official ATT&CK detection text is provided, teams should use the related DET0051 detection strategy as a prompt to build local analytics around exclusion-aware telemetry. Relationship context also notes Security Software Discovery and broader discovery/reconnaissance may be used to find or verify exclusions, so detection should not focus only on payload placement; it should also consider preceding discovery behavior where supported by logs.

Likely telemetry

  • Endpoint file creation, modification, and execution events on Linux, macOS, and Windows
  • AV/antimalware policy configuration, exclusion lists, and contextual exclusion settings
  • Security tool health, scan, quarantine, and allow/skip decision logs where available
  • Process lineage for files written to or launched from excluded paths
  • Administrative change records for approved security exclusions

Detection direction

  • Inventory exclusions and map them to telemetry coverage; confirm whether excluded paths are still visible to EDR, OS auditing, or other controls.
  • Build or tune analytics for newly written or executed files in excluded locations, with allowlisting for known legitimate application behavior to reduce false positives.
  • Review whether default, hardcoded, or vendor-recommended exclusions create high-value blind spots on servers, developer workstations, and privileged endpoints.
  • Correlate suspicious activity in excluded paths with prior security software discovery behavior where telemetry supports it.
  • During investigations, do not assume a clean AV result covers excluded folders or filenames; explicitly verify whether the artifact location was scanned.

Mitigation priorities

  • Govern AV/antimalware exclusions through approval, expiration, ownership, and periodic review.
  • Minimize broad path exclusions; prefer narrow, contextual, and documented exclusions where operationally required.
  • Use antivirus/antimalware controls consistently across supported endpoints and keep policy/configuration evidence available for audit and IR.
  • Apply application developer guidance so internal applications do not require unnecessarily broad scanning exclusions for normal operation.
  • Ensure incident response playbooks require review of exclusion policy and excluded-path artifacts before declaring an endpoint clean.
Analyst notes and limits

ATT&CK relationship context identifies DET0051 as a detection strategy, M1049 Antivirus/Antimalware and M1013 Application Developer Guidance as mitigations, and Turla as a group that uses this technique. The Turla relationship should be treated as threat-intelligence context only; observing this behavior is not sufficient for attribution.

The official ATT&CK object does not provide detection details, procedures, or specific telemetry field names. Local AV/EDR product behavior, operating system audit settings, and approved exclusion policy determine practical visibility. This summary does not assert active exploitation or guaranteed detection coverage.

Official MITRE ATT&CK definition

File/Path Exclusions

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.[1]

Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564 Hide Artifacts This object subtechnique of Hide Artifacts.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0051: Detection Strategy for File/Path Exclusions Enterprise mitigates · Mitigation M1049: Antivirus/Antimalware Enterprise subtechnique of · Technique T1564: Hide Artifacts Enterprise uses · Group G0010: Turla Enterprise mitigates · Mitigation M1013: Application Developer Guidance Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1049: Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

**Tools for Implementation**:

- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Mitigation Enterprise

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
050802c7890826de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 050802c78908…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft File Folder Exclusions

    Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.

    Open source URL
  2. [2]
    mitre-attack T1564.012
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use