Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)
Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., Disable or Modify Tools), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use Security Software Discovery and other Discovery/Reconnaissance activities to both discover and verify existing exclusions in a victim environment.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.08 | End-user device access | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against File/Path Exclusions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against File/Path Exclusions through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-03 | Malicious Code Protection | mitigates | T1564.012 | File/Path Exclusions |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1564.012 | File/Path Exclusions | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1564.012 | File/Path Exclusions |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1564.012 | File/Path Exclusions |
Comments
This control can detect when files are created in folders associated with or spoofing that of trusted applications.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-INPR-E5 | Information Protection | Technique Scores | T1564.012 | File/Path Exclusions |
Comments
Purview's Information Protection capabilities allow for several restrictions to be placed on files. External users or users with insufficient privileges can have read-only mode enforced, ensuring that nothing gets written to excluded locations in the file system.
References
|