LoFP / legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.

Techniques

• t1218
• t1218.008

Sample rules

Driver/DLL Installation Via Odbcconf.EXE

• source: sigma
• technicques:
  • t1218
  • t1218.008

Description

Detects execution of “odbcconf” with “INSTALLDRIVER” which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - 'INSTALLDRIVER '
  - .dll
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe