the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.

t1218
t1218.008
windows
sigma

Techniques

t1218
t1218.008

Sample rules

Response File Execution Via Odbcconf.EXE

source: sigma
technicques:
- t1218
- t1218.008

Description

Detects execution of “odbcconf” with the “-f” flag in order to load a response file which might contain a malicious action.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: ' -f '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe
selection_rsp_ext:
  CommandLine|contains: .rsp