Detectionmediumtest

Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon May 223f5491e2-8db8-496b-9e95-1029fce852d4windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: The "/A" flag is not required to call a specific action
        CommandLine|contains|all:
            - 'INSTALLDRIVER '
            - '.dll'
    condition: all of selection_*

False Positives

Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1218.008 · Odbcconf

Related Rules

SimilarDetectionhigh

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

3f5491e2-8db8-496b-9e95-1029fce852d4

Status

test

Level

medium

Type

Detection

Created

Mon May 22

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml

Raw Tags

attack.defense-evasionattack.t1218.008

View on GitHub