LoFP / datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

t1567

Sample rules

LOLBAS Data Exfiltration by DataSvcUtil.exe

source: sigma
technicques:
- t1567

Description

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains:
  - '/in:'
  - '/out:'
  - '/uri:'
selection_img:
- Image|endswith: \DataSvcUtil.exe
- OriginalFileName: DataSvcUtil.exe