Find sigma rule
Attack: Signed Binary Proxy Execution: Odbcconf
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR
flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}
). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
MITRE
Tactic
- defense-evasion
technique
- T1218.008
Test : Odbcconf.exe - Load Response File
OS
- windows
Description:
Execute arbitrary response file that will spawn PowerShell.exe. Source files: https://github.com/woanware/application-restriction-bypasses
Executor
command_prompt
Sigma Rule
-
proc_creation_win_odbcconf_response_file.yml (id: 5f03babb-12db-4eec-8c82-7b4cb5580868)
-
image_load_dll_system_management_automation_susp_load.yml (id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f)
-
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)
-
posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)