New ODBC Driver Registered
Detects the registration of a new ODBC driver.
Sigma rule (View on GitHub)
1title: New ODBC Driver Registered
2id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
3status: test
4description: Detects the registration of a new ODBC driver.
5references:
6 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-23
9modified: 2023-08-17
10tags:
11 - attack.persistence
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
18 TargetObject|endswith: '\Driver'
19 filter_main_sqlserver:
20 TargetObject|contains: '\SQL Server\'
21 Details: '%WINDIR%\System32\SQLSRV32.dll'
22 filter_optional_office_access:
23 TargetObject|contains: '\Microsoft Access '
24 Details|startswith: 'C:\Progra'
25 Details|endswith: '\ACEODBC.DLL'
26 filter_optional_office_excel:
27 TargetObject|contains: '\Microsoft Excel Driver'
28 Details|startswith: 'C:\Progra'
29 Details|endswith: '\ACEODBC.DLL'
30 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
31falsepositives:
32 - Likely
33level: low
References
-
I posted about ODBCConf before and then posted again on Twitter. The Twitter bit was about REGSVR: odbcconf.exe /a {REGSVR c:\test\test.dll} – loads a DLL At that time I looked at other ACTIONS acc...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint