Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Spawned By Odbcconf.EXE
2id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
3status: test
4description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
5references:
6 - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
7 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
8 - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
9author: Harjot Singh @cyb3rjy0t
10date: 2023/05/22
11tags:
12 - attack.defense_evasion
13 - attack.t1218.008
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\odbcconf.exe'
20 condition: selection
21falsepositives:
22 - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
23 - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
24level: medium
References
Related rules
- Driver/DLL Installation Via Odbcconf.EXE
- New DLL Registered Via Odbcconf.EXE
- Odbcconf.EXE Suspicious DLL Location
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Suspicious Driver/DLL Installation Via Odbcconf.EXE