Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml

rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml

@@ -0,0 +1,36 @@
+title: LOLBAS Data Exfiltration by DataSvcUtil.exe
+id: e290b10b-1023-4452-a4a9-eb31a9013b3a
+status: experimental
+author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
+date: 2021/09/30 
+description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
+references:
+    - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
+    - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
+    - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
+    - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
+tags:
+    - attack.exfiltration
+    - attack.t1567
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '/in:*'
+            - '/out:*'
+        Image|endswith:
+            - '\DataSvcUtil.exe'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - DataSvcUtil.exe being used may be performed by a system administrator. 
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Penetration Testing
+level: medium