Process Access via TrolleyExpress Exclusion

About the rule

Rule Type

Standard

Rule Description

This rule detects suspicious process access behavior involving the TrolleyExpress Windows Defender exclusion path. Attackers may abuse this path—commonly associated with Windows Defender's exclusion list—to run or access malicious binaries without triggering antivirus scans. By placing malware or scripts in the TrolleyExpress directory and allowing processes to interact with them, adversaries can bypass standard endpoint protection mechanisms. This technique is often used to evade detection during initial payload execution or post-exploitation activities, and is a strong indicator of defense evasion through abuse of security exclusions.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Defense evasion → Malware or script placed in Defender-excluded TrolleyExpress path → Trusted or attacker-controlled process accesses the excluded file → Payload execution → Persistence or privilege escalation

Impact

• Malware execution
• Privilege escalation
• Persistence
• Defense evasion
• Detection gaps

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)
Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

PR.PS-01: Configuration management practices are established and applied

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're alerted to a process accessing or leveraging the TrolleyExpress.exe exclusion path—a known technique abused by adversaries to bypass security controls.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate software or IT tools that, due to performance or compatibility reasons, are intentionally placed in Windows Defender exclusion paths like TrolleyExpress.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Investigate the process accessing the TrolleyExpress exclusion path. Identify the initiating user or service, and verify if the accessed file is known, signed, or part of any approved application.
• Analysis: Review the file’s hash, path, and any subsequent execution or network activity. Check whether the file is malicious, unsigned, or recently dropped.
• Response: Isolate the affected endpoint, terminate the involved processes, and remove the file. Revoke any unauthorized changes and reset affected credentials.
• Monitor Windows Defender: Regularly audit Windows Defender exclusion lists for unauthorized entries.

Mitigation