LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe
Sigma rule (View on GitHub)
1title: LOLBAS Data Exfiltration by DataSvcUtil.exe
2id: e290b10b-1023-4452-a4a9-eb31a9013b3a
3status: test
4description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
5references:
6 - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
7 - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
8 - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
9 - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
10 - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
11author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
12date: 2021/09/30
13modified: 2022/05/16
14tags:
15 - attack.exfiltration
16 - attack.t1567
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_cli:
22 CommandLine|contains:
23 - '/in:'
24 - '/out:'
25 - '/uri:'
26 selection_img:
27 - Image|endswith: '\DataSvcUtil.exe'
28 - OriginalFileName: 'DataSvcUtil.exe'
29 condition: all of selection*
30fields:
31 - ComputerName
32 - User
33 - CommandLine
34 - ParentCommandLine
35falsepositives:
36 - DataSvcUtil.exe being used may be performed by a system administrator.
37 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
38 - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
39level: medium
References
Related rules
- Communication To Ngrok Tunneling Service - Linux
- Suspicious ConfigSecurityPolicy Execution
- AWS EC2 VM Export Failure
- AWS RDS Master Password Change
- Email Exifiltration Via Powershell