Techniques
Sample rules
Windows Odbcconf Load Response File
- source: splunk
- technicques:
- T1218.008
Description
The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*-f *","*/f *") Processes.process="*.rsp*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_odbcconf_load_response_file_filter`
Windows Odbcconf Load DLL
- source: splunk
- technicques:
- T1218.008
Description
The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*/a *", "*-a*") Processes.process="*regsvr*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_odbcconf_load_dll_filter`