attack.defense_evasion DEMO attack.t1218.008
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Nasreddine Bencherchali (Nextron Systems)
Link to Public Repo
feat: add/update rules related to odbcconf (#4228)