Techniques
Sample rules
Driver/DLL Installation Via Odbcconf.EXE
- source: sigma
- technicques:
- t1218
- t1218.008
Description
Detects execution of “odbcconf” with “INSTALLDRIVER” which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- 'INSTALLDRIVER '
- .dll
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe