Creation or modification of files in directories known to be excluded from AV scanning (e.g., C:\Windows\Temp, Exchange server directories, or default AV exclusions). Defender perspective: correlate file creation with execution behavior or anomalous parent processes writing to excluded paths.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Field | Description |
|---|---|
| ExcludedPaths | List of directories excluded from scanning in the environment (customizable per organization). |
| ProcessAllowlist | Legitimate processes typically writing to excluded paths to minimize false positives. |
Adversaries writing or moving payloads into directories configured as AV/EDR exclusion paths (e.g., /tmp, /var/lib, or custom directories from auditd exclusion rules). Defender perspective: detect file creation in paths matching known exclusions correlated with unusual parent processes.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | open or creat syscalls targeting excluded paths |
| File Metadata (DC0059) | auditd:PATH | file path matches exclusion directories |
| Field | Description |
|---|---|
| ExcludedDirectories | System- or security-tool-configured exclusion directories where files should rarely change. |
| CorrelationWindow | Time window to correlate file creation in excluded paths with execution or network activity. |
Suspicious file creation or modification in directories ignored by XProtect or AV exclusions (e.g., ~/Library, temporary cache directories). Defender perspective: monitor file events in ignored paths with correlation to execution or persistence activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | macos:unifiedlog | file creation in AV exclusion directories |
| Process Creation (DC0032) | macos:unifiedlog | process writes or modifies files in excluded paths |
| Field | Description |
|---|---|
| AVExclusionPaths | Paths ignored by AV/XProtect that should be monitored for abnormal writes. |
| ProcessContext | Expected user or application context writing to excluded directories. |