Potentially Suspicious DLL Registered Via Odbcconf.EXE

Rule Info

Name
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Date
2023-05-22 00:00:00
Modified
None
Id
ba4cfc11-d0fa-4d94-bf20-7c332c412e76
Tags
attack.defense-evasion attack.t1218.008
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
cyb3rjy0t
feat: add/update rules related to odbcconf (#4228)
2023-05-23