Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Sigma rule (View on GitHub)

 1title: Response File Execution Via Odbcconf.EXE
 2id: 5f03babb-12db-4eec-8c82-7b4cb5580868
 3related:
 4    - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
 5      type: similar
 6    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
 7      type: obsolete
 8status: experimental
 9description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
10references:
11    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
12    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
13    - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
14    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
15author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
16date: 2023-05-22
17modified: 2024-03-05
18tags:
19    - attack.defense-evasion
20    - attack.t1218.008
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\odbcconf.exe'
27        - OriginalFileName: 'odbcconf.exe'
28    selection_cli:
29        CommandLine|contains|windash: ' -f '
30    selection_rsp_ext:
31        CommandLine|contains: '.rsp'
32    condition: all of selection_*
33falsepositives:
34    - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
35level: medium

References

Related rules

to-top