attack.defense_evasion DEMO attack.t1218.008
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
Nasreddine Bencherchali (Nextron Systems)
Link to Public Repo
feat: add/update rules related to odbcconf (#4228)