EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Odbcconf.EXE Suspicious DLL Location

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

MITRE ATT&CK

T1218.008
defense-evasion

Detection Query

selection_img:
  - Image|endswith: \odbcconf.exe
  - OriginalFileName: odbcconf.exe
selection_cli:
  CommandLine|contains:
    - :\PerfLogs\
    - :\ProgramData\
    - :\Temp\
    - :\Users\Public\
    - :\Windows\Registration\CRMLog
    - :\Windows\System32\com\dmp\
    - :\Windows\System32\FxsTmp\
    - :\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
    - :\Windows\System32\spool\drivers\color\
    - :\Windows\System32\spool\PRINTERS\
    - :\Windows\System32\spool\SERVERS\
    - :\Windows\System32\Tasks_Migrated\
    - :\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
    - :\Windows\SysWOW64\com\dmp\
    - :\Windows\SysWOW64\FxsTmp\
    - :\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
    - :\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
    - :\Windows\Tasks\
    - :\Windows\Temp\
    - :\Windows\Tracing\
    - \AppData\Local\Temp\
    - \AppData\Roaming\
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218.008
Raw Content
title: Odbcconf.EXE Suspicious DLL Location
id: 6b65c28e-11f3-46cb-902a-68f2cafaf474
status: test
description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
    - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2023-05-26
tags:
    - attack.defense-evasion
    - attack.t1218.008
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: Add more suspicious locations
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Registration\CRMLog'
            - ':\Windows\System32\com\dmp\'
            - ':\Windows\System32\FxsTmp\'
            - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
            - ':\Windows\System32\spool\drivers\color\'
            - ':\Windows\System32\spool\PRINTERS\'
            - ':\Windows\System32\spool\SERVERS\'
            - ':\Windows\System32\Tasks_Migrated\'
            - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
            - ':\Windows\SysWOW64\com\dmp\'
            - ':\Windows\SysWOW64\FxsTmp\'
            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - ':\Windows\Tracing\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high