Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Spawned By Odbcconf.EXE
2id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
3status: test
4description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
5references:
6 - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
7 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
8 - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
9author: Harjot Singh @cyb3rjy0t
10date: 2023-05-22
11tags:
12 - attack.defense-evasion
13 - attack.t1218.008
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\odbcconf.exe'
20 condition: selection
21falsepositives:
22 - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
23 - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
24level: medium
References
-
Odbcconf.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Related rules
- Driver/DLL Installation Via Odbcconf.EXE
- New DLL Registered Via Odbcconf.EXE
- Odbcconf.EXE Suspicious DLL Location
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Response File Execution Via Odbcconf.EXE