other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml>sigma
technicques: t1218 t1218.008

Techniques

Detects an uncommon child process of “odbcconf.exe” binary which normally shouldn’t have any child processes.

condition: selection
selection:
  ParentImage|endswith: \odbcconf.exe