LoFP / in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process

Techniques

• t1218
• t1218.008

Sample rules

Uncommon Child Process Spawned By Odbcconf.EXE

• source: sigma
• technicques:
  • t1218
  • t1218.008

Description

Detects an uncommon child process of “odbcconf.exe” binary which normally shouldn’t have any child processes.

Detection logic

condition: selection
selection:
  ParentImage|endswith: \odbcconf.exe