Potentially Suspicious DLL Registered Via Odbcconf.EXE

Rule Info

Name
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Reference
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
Date
2023-05-22 00:00:00
Modified
None
Id
ba4cfc11-d0fa-4d94-bf20-7c332c412e76
Tags
attack.defense_evasion attack.t1218.008 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ba4cfc11-d0fa-4d94-bf20-7c332c412e76

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
cyb3rjy0t
feat: add/update rules related to odbcconf (#4228)
2023-05-23
cd71edc09
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022