Response File Execution Via Odbcconf.EXE

Rule Info

Name
Response File Execution Via Odbcconf.EXE
Author
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Reference
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
Date
2023-05-22 00:00:00
Modified
2024-03-05 00:00:00
Id
5f03babb-12db-4eec-8c82-7b4cb5580868
Tags
attack.defense-evasion attack.t1218.008
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5f03babb-12db-4eec-8c82-7b4cb5580868

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5149 from @nasbench - Promote older rules status from `experimental` to `test`
2025-01-06
873402272
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
frack113
Merge PR #4752 from @frack113 - Update rules to use the `windash` modifier
2024-03-11
48baf1187
cyb3rjy0t
feat: add/update rules related to odbcconf (#4228)
2023-05-23
cd71edc09
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022