
Rule Info
Tags
attack.defense_evasion DEMO attack.t1218.008
Name
New DLL Registered Via Odbcconf.EXE
Id
9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
Date
2023-05-22 00:00:00
Modified
None
Description
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
Author
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
Rule History
Title
Author
Commit
Date