LOLBAS Data Exfiltration by DataSvcUtil.exe

 1title: LOLBAS Data Exfiltration by DataSvcUtil.exe
 2id: e290b10b-1023-4452-a4a9-eb31a9013b3a
 3status: test
 4description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
 5references:
 6    - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
 7    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
 8    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
 9    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
10    - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
11author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
12date: 2021-09-30
13modified: 2022-05-16
14tags:
15    - attack.exfiltration
16    - attack.t1567
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_cli:
22        CommandLine|contains:
23            - '/in:'
24            - '/out:'
25            - '/uri:'
26    selection_img:
27        - Image|endswith: '\DataSvcUtil.exe'
28        - OriginalFileName: 'DataSvcUtil.exe'
29    condition: all of selection*
30fields:
31    - ComputerName
32    - User
33    - CommandLine
34    - ParentCommandLine
35falsepositives:
36    - DataSvcUtil.exe being used may be performed by a system administrator.
37    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
38    - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
39level: medium

References

• Data exfil with DataSvcUtil.exe

  

  Data exfil with DataSvcUtil.exe. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• WCF Data Service Client Utility (DataSvcUtil.exe)

  

  Learn more about: WCF Data Service Client Utility (DataSvcUtil.exe)

  
  Read More

• Generating the Data Service Client Library (WCF Data Services)

  

  Learn more about: Generating the Data Service Client Library (WCF Data Services)

  
  Read More

• How to: Add a Data Service Reference (WCF Data Services)

  

  Learn more about: How to: Add a data service reference (WCF Data Services)

  
  Read More

• Datasvcutil on LOLBAS

  

  DataSvcUtil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• Arbitrary File Download Via ConfigSecurityPolicy.EXE
• Communication To Ngrok Tunneling Service - Linux
• Communication To Ngrok Tunneling Service Initiated
• Suspicious Curl File Upload - Linux
• APT40 Dropbox Tool User Agent