A process with no prior history or outside of known whitelisted tools initiates file or registry modifications to configure exclusion rules for antivirus, backup, or file-handling systems. Or a file system enumeration for specific file names andcritical extensions like .dll, .exe, .sys, or specific directories such as 'Program Files' or security tool paths or system component discovery for the exclusion of the files or components.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Modification (DC0061) | WinEventLog:Security | EventCode=4670 |
| Field | Description |
|---|---|
| TimeWindow | Correlate multiply discovery activities and file enumeration activities. |
| DiscoveryActivityThreshold | Minimum number of different discovery techniques within time window to trigger detection - balance between false positives and coverage (default: 4 activities) |
| ExclusionTargetList | List of extensions or folders considered suspicious when excluded (e.g., .dll, .exe, C:\\Program Files\\) |
| AuthorizedExclusionModifiers | Whitelist of known system management tools/processes allowed to modify exclusion settings |