Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
filter_main_rsp_ext:
CommandLine|contains: '.rsp'
filter_main_runonce_odbc:
# When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot
ParentImage: 'C:\Windows\System32\runonce.exe'
Image: 'C:\Windows\System32\odbcconf.exe'
CommandLine|contains: '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"'
condition: all of selection_* and not 1 of filter_main_*False positives are unlikely for most environments. High confidence detection.
Tactics
Sub-techniques
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
This rule was derived from the related rule - both detect similar activity with different scope.
65d2be45-8600-4042-b4c0-577a1ff8a60e