Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.[1]
Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[1] |
| M1013 | Application Developer Guidance |
Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Creation |
Monitor for newly constructed files, especially those that are unexpectedly created in folders associated with or spoofing that of trusted applications. Also, consider prioritizing monitoring and analyzing file activity in known file/path exclusions. |