Techniques
Sample rules
Windows Odbcconf Hunting
- source: splunk
- technicques:
- T1218.008
Description
The following analytic identifies Odbcconf.exe running in the environment to assist with identifying tuning higher fidelity analytics related to Odbcconf.exe.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_odbcconf_hunting_filter`