Suspicious Driver/DLL Installation Via Odbcconf.EXE

Rule Info

Tags
attack.defense_evasion DEMO attack.t1218.008
Name
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Id
cb0fe7c5-f3a3-484d-aa25-d350a7912729
Date
2023-05-23 00:00:00
Modified
None
Description
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
Reference
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
Author
Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cb0fe7c5-f3a3-484d-aa25-d350a7912729

Rule History

Title
Author
Commit
Date
feat: add/update rules related to odbcconf (#4228)
cyb3rjy0t
cd71edc09
2023-05-23
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022