Sigma
Sigma rules for CVE-2023-28304
2 rules · scoped to cve · back to CVE-2023-28304
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
2 of 2
direct
high
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.persistence
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith:
- '\Driver'
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Unlikely
level: high
direct
low
New ODBC Driver Registered
Detects the registration of a new ODBC driver.
view Sigma YAML
title: New ODBC Driver Registered
id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
status: test
description: Detects the registration of a new ODBC driver.
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith: '\Driver'
filter_main_sqlserver:
TargetObject|contains: '\SQL Server\'
Details: '%WINDIR%\System32\SQLSRV32.dll'
filter_optional_office_access:
TargetObject|contains: '\Microsoft Access '
Details|startswith: 'C:\Progra'
Details|endswith: '\ACEODBC.DLL'
filter_optional_office_excel:
TargetObject|contains: '\Microsoft Excel Driver'
Details|startswith: 'C:\Progra'
Details|endswith: '\ACEODBC.DLL'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low
Showing 1-2 of 2