Find sigma rule

Attack: Signed Binary Proxy Execution: Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

MITRE

Tactic

defense-evasion

technique

T1218.008

Test : Odbcconf.exe - Load Response File

OS

windows

Description:

Execute arbitrary response file that will spawn PowerShell.exe. Source files: https://github.com/woanware/application-restriction-bypasses

Executor

command_prompt

Sigma Rule

proc_creation_win_odbcconf_response_file.yml (id: 5f03babb-12db-4eec-8c82-7b4cb5580868)
image_load_dll_system_management_automation_susp_load.yml (id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f)
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)
posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test