Response File Execution Via Odbcconf.EXE

Rule Info

Name
Response File Execution Via Odbcconf.EXE
Author
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Reference
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
Date
2023-05-22 00:00:00
Modified
2024-03-05 00:00:00
Id
5f03babb-12db-4eec-8c82-7b4cb5580868
Tags
attack.defense_evasion attack.t1218.008 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5f03babb-12db-4eec-8c82-7b4cb5580868

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4752 from @frack113 - Update rules to use the `windash` modifier
2024-03-11
48baf1187
cyb3rjy0t
feat: add/update rules related to odbcconf (#4228)
2023-05-23
cd71edc09
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022