/
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
39 lines (39 loc) · 1.62 KB
/
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
status: test
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
references:
- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
- https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021/09/30
modified: 2022/05/16
tags:
- attack.exfiltration
- attack.t1567
logsource:
category: process_creation
product: windows
detection:
selection_cli:
CommandLine|contains:
- '/in:'
- '/out:'
- '/uri:'
selection_img:
- Image|endswith: '\DataSvcUtil.exe'
- OriginalFileName: 'DataSvcUtil.exe'
condition: all of selection*
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- DataSvcUtil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium