LoFP / datasvcutil.exe being used may be performed by a system administrator.

Techniques

t1567

Sample rules

LOLBAS Data Exfiltration by DataSvcUtil.exe

source: sigma
technicques:
- t1567

Description

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains:
  - '/in:'
  - '/out:'
  - '/uri:'
selection_img:
- Image|endswith: \DataSvcUtil.exe
- OriginalFileName: DataSvcUtil.exe