Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

New ODBC Driver Registered

Detects the registration of a new ODBC driver.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue May 23Updated Thu Aug 173390fbef-c98d-4bdd-a863-d65ed7c610ddwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith: '\Driver'
    filter_main_sqlserver:
        TargetObject|contains: '\SQL Server\'
        Details: '%WINDIR%\System32\SQLSRV32.dll'
    filter_optional_office_access:
        TargetObject|contains: '\Microsoft Access '
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    filter_optional_office_excel:
        TargetObject|contains: '\Microsoft Excel Driver'
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Likely

References
1
Resolving title…
hexacorn.com
MITRE ATT&CK
Rule Metadata
Rule ID
3390fbef-c98d-4bdd-a863-d65ed7c610dd
Status
test
Level
low
Type
Detection
Created
Tue May 23
Modified
Thu Aug 17
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml
Raw Tags
attack.persistence
View on GitHub