Exclusion lists are a critical component of endpoint security, defining what files and directories security solutions ignore. Traditionally, accessing these lists has required local administrator privileges—until now. SharpExclusionFinder, a tool we developed, challenges this limitation by identifying exclusion paths using only low-privileged user access. In this talk, we’ll demonstrate how SharpExclusionFinder operates, reveal the security risks of exposing exclusion lists to non-admin users, and explore how attackers can leverage this information to bypass defenses.