EXPLORE
Sign In
← Back to Explore
T1218.008

Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf...

Windows
17
Detections
3
Sources
1
Threat Actors

BY SOURCE

8sigma6elastic3splunk_escu

PROCEDURES (10)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Child Process3 detections

Auto-extracted: 3 detections for child process

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Driver2 detections

Auto-extracted: 2 detections for driver

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

THREAT ACTORS (1)

Cobalt Group

DETECTIONS (17)

Driver/DLL Installation Via Odbcconf.EXE
sigmamedium
New DLL Registered Via Odbcconf.EXE
sigmamedium
Odbcconf.EXE Suspicious DLL Location
sigmahigh
Potentially Suspicious DLL Registered Via Odbcconf.EXE
sigmahigh
Response File Execution Via Odbcconf.EXE
sigmamedium
Suspicious Driver/DLL Installation Via Odbcconf.EXE
sigmahigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow
Suspicious Response File Execution Via Odbcconf.EXE
sigmahigh
Uncommon Child Process Spawned By Odbcconf.EXE
sigmamedium
Unusual Network Activity from a Windows System Binary
elasticmedium
Unusual Process Network Connection
elasticlow
Windows Odbcconf Hunting
splunk_escu
Windows Odbcconf Load DLL
splunk_escu
Windows Odbcconf Load Response File
splunk_escu