T1218.008 IBM QRadar · QRadar

Detect Odbcconf in IBM QRadar

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows configuration of Open Database Connectivity (ODBC) drivers and data source names. Like regsvr32, odbcconf.exe has a REGSVR flag that can be abused to execute DLLs (e.g., odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). Since odbcconf.exe is digitally signed by Microsoft, it can bypass application control solutions that allowlist Microsoft-signed binaries. Groups including Cobalt Group, Bumblebee malware, and Raspberry Robin have leveraged this technique for DLL execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.008 Odbcconf
Canonical reference
https://attack.mitre.org/techniques/T1218/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "HOSTNAME" AS host,
  "CommandLine",
  "ParentImage",
  CASE
    WHEN "CommandLine" ILIKE '%REGSVR%' THEN 1 ELSE 0
  END +
  CASE
    WHEN "CommandLine" ILIKE '%http://%' OR "CommandLine" ILIKE '%https://%' OR "CommandLine" ILIKE '%\\\\%' THEN 1 ELSE 0
  END +
  CASE
    WHEN ("CommandLine" ILIKE '%Temp%' OR "CommandLine" ILIKE '%AppData%' OR "CommandLine" ILIKE '%Downloads%' OR "CommandLine" ILIKE '%Public%' OR "CommandLine" ILIKE '%Desktop%' OR "CommandLine" ILIKE '%ProgramData%')
     AND ("ParentImage" ILIKE '%cmd.exe%' OR "ParentImage" ILIKE '%powershell.exe%' OR "ParentImage" ILIKE '%wscript.exe%' OR "ParentImage" ILIKE '%cscript.exe%' OR "ParentImage" ILIKE '%mshta.exe%') THEN 1 ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'Sysmon Process Create')
  AND "Image" ILIKE '%\\odbcconf.exe'
  AND (
    "CommandLine" ILIKE '%REGSVR%'
    OR "CommandLine" ILIKE '%http://%'
    OR "CommandLine" ILIKE '%https://%'
    OR "CommandLine" ILIKE '%\\\\\\\\%'
    OR (
      ("CommandLine" ILIKE '%Temp%' OR "CommandLine" ILIKE '%AppData%' OR "CommandLine" ILIKE '%Downloads%'
       OR "CommandLine" ILIKE '%Public%' OR "CommandLine" ILIKE '%Desktop%' OR "CommandLine" ILIKE '%ProgramData%')
      AND ("ParentImage" ILIKE '%cmd.exe%' OR "ParentImage" ILIKE '%powershell.exe%'
           OR "ParentImage" ILIKE '%wscript.exe%' OR "ParentImage" ILIKE '%cscript.exe%' OR "ParentImage" ILIKE '%mshta.exe%')
    )
  )
  AND RiskScore > 0
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

Detects odbcconf.exe process execution with REGSVR flag usage, remote DLL loading via HTTP or UNC paths, or suspicious directory DLL loading spawned from script interpreters. Risk scoring mirrors SPL logic across Windows Security Event Log and Sysmon sources.

Data Sources

Microsoft Windows Security Event Log (EventID 4688)Sysmon Event Log (EventID 1)QRadar Windows DSM

Required Tables

events

False Positives & Tuning

  • Enterprise database driver deployments using odbcconf.exe REGSVR to register legitimate ODBC drivers from vendor-supplied installers in Program Files
  • Automated patch management or configuration management systems invoking odbcconf.exe via cmd.exe as part of scripted database middleware setup
  • Third-party ERP or CRM software installers that call odbcconf.exe from scripted parent processes stored in ProgramData during silent installs
Download portable Sigma rule (.yml)

Other platforms for T1218.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Odbcconf REGSVR DLL Execution from Temp

    Expected signal: Sysmon Event ID 1: odbcconf.exe with REGSVR, /S, and Temp path. Sysmon Event ID 7 (Image Load) for the DLL being loaded by odbcconf. Security Event ID 4688.

  2. Test 2Odbcconf Launched from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe then odbcconf.exe with ParentImage=powershell.exe, REGSVR in command line. Both SuspiciousParent and REGSVRFlag fire.

  3. Test 3Odbcconf Response File Execution

    Expected signal: Sysmon Event ID 11: RSP file written to Temp. Sysmon Event ID 1: odbcconf.exe with /S /F and Temp path for the response file. The REGSVR instruction is inside the file, not on the command line.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1218.010Regsvr32T1091Replication Through Removable MediaT1059.001PowerShellT1574.002DLL Side-LoadingT1027.009Embedded Payloads

Same Tactic: Defense Evasion

Popular Detections