This detection rule aims to identify potential data exfiltration activities performed using the DataSvcUtil.exe utility on Windows systems. DataSvcUtil.exe is a command-line tool used for generating client-side proxies for WCF Data Services and can be exploited by attackers to extract sensitive data from the environment. The rule inspects process creation events, specifically monitoring the command line arguments for indications of data export commands (e.g., '/in:', '/out:', or '/uri:'). It triggers an alert when it detects these command line parameters along with the use of the DataSvcUtil.exe image. False positives may occur when system administrators legitimately use this tool; therefore, it's essential to verify user behavior and contextual details to distinguish between legitimate use and malicious activity.