legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.

t1218
t1218.008
windows
sigma

Techniques

t1218
t1218.008

Sample rules

New DLL Registered Via Odbcconf.EXE

source: sigma
technicques:
- t1218
- t1218.008

Description

Detects execution of “odbcconf” with “REGSVR” in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - 'REGSVR '
  - .dll
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe