Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 6b65c28e-11f3-46cb-902a-68f2cafaf474
view Sigma YAML
title: Odbcconf.EXE Suspicious DLL Location
id: 6b65c28e-11f3-46cb-902a-68f2cafaf474
status: test
description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
- https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: Add more suspicious locations
CommandLine|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
high
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ba4cfc11-d0fa-4d94-bf20-7c332c412e76
view Sigma YAML
title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
related:
- id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
type: derived
status: test
description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'REGSVR '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
high
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
status testauthor Nasreddine Bencherchali (Nextron Systems)id cb0fe7c5-f3a3-484d-aa25-d350a7912729
view Sigma YAML
title: Suspicious Driver/DLL Installation Via Odbcconf.EXE
id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
related:
- id: 3f5491e2-8db8-496b-9e95-1029fce852d4
type: derived
status: test
description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'INSTALLDRIVER '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
high
Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
view Sigma YAML
title: Suspicious Response File Execution Via Odbcconf.EXE
id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
related:
- id: 5f03babb-12db-4eec-8c82-7b4cb5580868
type: derived
- id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
type: obsolete
status: test
description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
filter_main_rsp_ext:
CommandLine|contains: '.rsp'
filter_main_runonce_odbc:
# When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot
ParentImage: 'C:\Windows\System32\runonce.exe'
Image: 'C:\Windows\System32\odbcconf.exe'
CommandLine|contains: '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
medium
Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 3f5491e2-8db8-496b-9e95-1029fce852d4
view Sigma YAML
title: Driver/DLL Installation Via Odbcconf.EXE
id: 3f5491e2-8db8-496b-9e95-1029fce852d4
related:
- id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
type: similar
status: test
description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains|all:
- 'INSTALLDRIVER '
- '.dll'
condition: all of selection_*
falsepositives:
- Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.
level: medium
medium
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
title: New DLL Registered Via Odbcconf.EXE
id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
related:
- id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
type: similar
status: test
description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://redcanary.com/blog/raspberry-robin/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains|all:
- 'REGSVR '
- '.dll'
condition: all of selection_*
falsepositives:
- Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
level: medium
medium
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
title: Response File Execution Via Odbcconf.EXE
id: 5f03babb-12db-4eec-8c82-7b4cb5580868
related:
- id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
type: similar
- id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
type: obsolete
status: test
description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
selection_rsp_ext:
CommandLine|contains: '.rsp'
condition: all of selection_*
falsepositives:
- The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
level: medium
medium
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
status testauthor Harjot Singh @cyb3rjy0tid 8e3c7994-131e-4ba5-b6ea-804d49113a26
view Sigma YAML
title: Uncommon Child Process Spawned By Odbcconf.EXE
id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
status: test
description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
author: Harjot Singh @cyb3rjy0t
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\odbcconf.exe'
condition: selection
falsepositives:
- In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
- Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
level: medium