Technique on mitre.org

T1218.008: Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-456: Odbcconf_AWL_Bypass: An attempt to bypass application-start restrictions by using odbcconf.exe (a built-in Microsoft Windows utility used for managing ODBC connections)

Detection

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

ID	DS0017	Data source and component	Command: Command Execution	Description	Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.

ID	DS0009	Data source and component	Process: Process Creation	Description	Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

ID	Data source and component	Description
DS0011	Module: Module Load	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
DS0017	Command: Command Execution	Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.
DS0009	Process: Process Creation	Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

Mitigation

ID	M1042	Name	Disable or Remove Feature or Program	Description	Odbcconf.exe may not be necessary within a given environment.

ID	M1038	Name	Execution Prevention	Description	Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

ID	Name	Description
M1042	Disable or Remove Feature or Program	Odbcconf.exe may not be necessary within a given environment.
M1038	Execution Prevention	Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.