Suspicious Driver/DLL Installation Via Odbcconf.EXE

Rule Info

Name
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
Reference
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
Date
2023-05-23 00:00:00
Modified
None
Id
cb0fe7c5-f3a3-484d-aa25-d350a7912729
Tags
attack.defense_evasion attack.t1218.008 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cb0fe7c5-f3a3-484d-aa25-d350a7912729

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
cyb3rjy0t
feat: add/update rules related to odbcconf (#4228)
2023-05-23
cd71edc09
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022