T1218.008 Odbcconf Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "odbcconf.exe"
| extend REGSVRFlag = ProcessCommandLine has "REGSVR"
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend RemoteLoad = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| extend SilentFlag = ProcessCommandLine has_any ("/S", "/silent")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where REGSVRFlag or RemoteLoad or (SuspiciousPath and SuspiciousParent)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, REGSVRFlag, SuspiciousPath, RemoteLoad, SilentFlag, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate ODBC driver installation procedures that use odbcconf.exe /A {REGSVR ...} to register ODBC drivers from vendor paths
Database connectivity software (Oracle, SQL Server, MySQL) that registers ODBC drivers via odbcconf.exe during installation
IT administration scripts that configure ODBC data sources for database applications
Enterprise applications with custom ODBC drivers that register them via odbcconf.exe

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\odbcconf.exe"
| eval REGSVRFlag=if(match(CommandLine, "REGSVR"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval RemoteLoad=if(match(CommandLine, "http[s]?://|\\\\\\\\[a-zA-Z]"), 1, 0)
| eval SilentFlag=if(match(CommandLine, "(/S|/silent)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval RiskScore=REGSVRFlag + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| table _time, host, User, CommandLine, ParentImage, ParentCommandLine, REGSVRFlag, SuspiciousPath, RemoteLoad, SilentFlag, SuspiciousParent, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate ODBC driver installation procedures that use odbcconf.exe /A {REGSVR ...} to register ODBC drivers from vendor paths
Database connectivity software (Oracle, SQL Server, MySQL) that registers ODBC drivers via odbcconf.exe during installation
IT administration scripts that configure ODBC data sources for database applications
Enterprise applications with custom ODBC drivers that register them via odbcconf.exe

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : "odbcconf.exe"
  and (
    process.args : "*REGSVR*"
    or process.args : ("*http://*", "*https://*", "*\\\\*")
    or (
      process.args : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*")
      and process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate ODBC driver installation or update scripts executed by IT admins using odbcconf.exe with REGSVR to register valid drivers stored in standard program directories
Software deployment tools (SCCM, Intune) running odbcconf.exe from ProgramData as part of application provisioning pipelines
Database middleware installers that invoke odbcconf.exe from a parent process like cmd.exe during legitimate silent installation routines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "HOSTNAME" AS host,
  "CommandLine",
  "ParentImage",
  CASE
    WHEN "CommandLine" ILIKE '%REGSVR%' THEN 1 ELSE 0
  END +
  CASE
    WHEN "CommandLine" ILIKE '%http://%' OR "CommandLine" ILIKE '%https://%' OR "CommandLine" ILIKE '%\\\\%' THEN 1 ELSE 0
  END +
  CASE
    WHEN ("CommandLine" ILIKE '%Temp%' OR "CommandLine" ILIKE '%AppData%' OR "CommandLine" ILIKE '%Downloads%' OR "CommandLine" ILIKE '%Public%' OR "CommandLine" ILIKE '%Desktop%' OR "CommandLine" ILIKE '%ProgramData%')
     AND ("ParentImage" ILIKE '%cmd.exe%' OR "ParentImage" ILIKE '%powershell.exe%' OR "ParentImage" ILIKE '%wscript.exe%' OR "ParentImage" ILIKE '%cscript.exe%' OR "ParentImage" ILIKE '%mshta.exe%') THEN 1 ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'Sysmon Process Create')
  AND "Image" ILIKE '%\\odbcconf.exe'
  AND (
    "CommandLine" ILIKE '%REGSVR%'
    OR "CommandLine" ILIKE '%http://%'
    OR "CommandLine" ILIKE '%https://%'
    OR "CommandLine" ILIKE '%\\\\\\\\%'
    OR (
      ("CommandLine" ILIKE '%Temp%' OR "CommandLine" ILIKE '%AppData%' OR "CommandLine" ILIKE '%Downloads%'
       OR "CommandLine" ILIKE '%Public%' OR "CommandLine" ILIKE '%Desktop%' OR "CommandLine" ILIKE '%ProgramData%')
      AND ("ParentImage" ILIKE '%cmd.exe%' OR "ParentImage" ILIKE '%powershell.exe%'
           OR "ParentImage" ILIKE '%wscript.exe%' OR "ParentImage" ILIKE '%cscript.exe%' OR "ParentImage" ILIKE '%mshta.exe%')
    )
  )
  AND RiskScore > 0
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688) Sysmon Event Log (EventID 1) QRadar Windows DSM

Required Tables

events

False Positives

Enterprise database driver deployments using odbcconf.exe REGSVR to register legitimate ODBC drivers from vendor-supplied installers in Program Files
Automated patch management or configuration management systems invoking odbcconf.exe via cmd.exe as part of scripted database middleware setup
Third-party ERP or CRM software installers that call odbcconf.exe from scripted parent processes stored in ProgramData during silent installs

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" OR EventID = "4688"
| where Image matches "*\\odbcconf.exe" OR NewProcessName matches "*\\odbcconf.exe"
| eval CommandLine = coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage = coalesce(ParentImage, ParentProcessName)
| eval REGSVRFlag = if(matches(CommandLine, "(?i)REGSVR"), 1, 0)
| eval SuspiciousPath = if(matches(CommandLine, "(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval RemoteLoad = if(matches(CommandLine, "(?i)(https?://|\\\\\\\\[a-zA-Z])"), 1, 0)
| eval SilentFlag = if(matches(CommandLine, "(?i)(/S|/silent)"), 1, 0)
| eval SuspiciousParent = if(matches(ParentImage, "(?i)(cmd|powershell|wscript|cscript|mshta)\\.exe"), 1, 0)
| eval RiskScore = REGSVRFlag + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, CommandLine, ParentImage, REGSVRFlag, SuspiciousPath, RemoteLoad, SilentFlag, SuspiciousParent, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Sysmon source Sumo Logic Windows Security Event Log source Sumo Logic Installed Collector with Windows Event Log source

Required Tables

windows/sysmon windows/security

False Positives

Legitimate ODBC data source configuration performed by DBAs using odbcconf.exe with REGSVR from standard application directories
Software vendors registering ODBC drivers silently (/S flag) from ProgramData or temp directories during application installation
IT automation frameworks (Ansible, Puppet) invoking odbcconf.exe through cmd.exe or powershell.exe for database configuration management tasks

Google Chronicle / SecOps

yaral

rule t1218_008_odbcconf_proxy_execution {
  meta:
    author = "df00tech"
    description = "Detects abuse of odbcconf.exe for proxy DLL execution via REGSVR flag, remote loading, or suspicious parent-child execution patterns (MITRE T1218.008)"
    mitre_attack = "T1218.008"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)\\odbcconf\.exe$/
    (
      $e.target.process.command_line = /(?i)REGSVR/
      or $e.target.process.command_line = /(?i)https?:\/\//
      or $e.target.process.command_line = /\\\\\\\\/
      or (
        $e.target.process.command_line = /(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)/
        and $e.principal.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$/
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint telemetry forwarded to Chronicle CrowdStrike or Carbon Black events normalized to UDM

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate ODBC driver registration by enterprise software packages using odbcconf.exe /S /A {REGSVR} against signed DLLs in Program Files
Database middleware setup tools that invoke odbcconf.exe from cmd.exe or powershell.exe during silent enterprise installations
Network-shared ODBC driver packages accessed via UNC paths during centralized driver distribution in large Active Directory environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /\\odbcconf\.exe$/i
| eval REGSVRFlag = if(CommandLine = /REGSVR/i, 1, 0)
| eval SuspiciousPath = if(CommandLine = /(Temp|AppData|Downloads|Public|Desktop|ProgramData)/i, 1, 0)
| eval RemoteLoad = if(CommandLine = /https?:\/\/|\\\\\\\\/i, 1, 0)
| eval SilentFlag = if(CommandLine = /(\/S|\/silent)/i, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(cmd|powershell|wscript|cscript|mshta)\.exe/i, 1, 0)
| eval RiskScore = REGSVRFlag + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| table([@timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, ParentCommandLine, REGSVRFlag, SuspiciousPath, RemoteLoad, SilentFlag, SuspiciousParent, RiskScore])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events) Falcon Data Replicator or Humio/LogScale SIEM connector

Required Tables

ProcessRollup2

False Positives

Legitimate enterprise ODBC driver rollouts where IT scripts invoke odbcconf.exe REGSVR against vendor-signed DLLs staged in ProgramData
Configuration management platforms such as Chef or Puppet running odbcconf.exe through cmd.exe for database source name management
Software update mechanisms for database tools that use PowerShell to invoke odbcconf.exe with /S flag for silent driver updates from AppData staging areas

Odbcconf

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections