Detect Odbcconf in Sumo Logic CSE
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows configuration of Open Database Connectivity (ODBC) drivers and data source names. Like regsvr32, odbcconf.exe has a REGSVR flag that can be abused to execute DLLs (e.g., odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). Since odbcconf.exe is digitally signed by Microsoft, it can bypass application control solutions that allowlist Microsoft-signed binaries. Groups including Cobalt Group, Bumblebee malware, and Raspberry Robin have leveraged this technique for DLL execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.008 Odbcconf
- Canonical reference
- https://attack.mitre.org/techniques/T1218/008/
Sumo Detection Query
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" OR EventID = "4688"
| where Image matches "*\\odbcconf.exe" OR NewProcessName matches "*\\odbcconf.exe"
| eval CommandLine = coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage = coalesce(ParentImage, ParentProcessName)
| eval REGSVRFlag = if(matches(CommandLine, "(?i)REGSVR"), 1, 0)
| eval SuspiciousPath = if(matches(CommandLine, "(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval RemoteLoad = if(matches(CommandLine, "(?i)(https?://|\\\\\\\\[a-zA-Z])"), 1, 0)
| eval SilentFlag = if(matches(CommandLine, "(?i)(/S|/silent)"), 1, 0)
| eval SuspiciousParent = if(matches(ParentImage, "(?i)(cmd|powershell|wscript|cscript|mshta)\\.exe"), 1, 0)
| eval RiskScore = REGSVRFlag + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, CommandLine, ParentImage, REGSVRFlag, SuspiciousPath, RemoteLoad, SilentFlag, SuspiciousParent, RiskScore
| sort by RiskScore desc, _messageTime descDetects malicious use of odbcconf.exe to proxy DLL execution via REGSVR flag, remote loading from HTTP or UNC paths, or suspicious-path DLL loading by script interpreter parents. Risk score aggregates across behavioral indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ODBC data source configuration performed by DBAs using odbcconf.exe with REGSVR from standard application directories
- Software vendors registering ODBC drivers silently (/S flag) from ProgramData or temp directories during application installation
- IT automation frameworks (Ansible, Puppet) invoking odbcconf.exe through cmd.exe or powershell.exe for database configuration management tasks
Other platforms for T1218.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Odbcconf REGSVR DLL Execution from Temp
Expected signal: Sysmon Event ID 1: odbcconf.exe with REGSVR, /S, and Temp path. Sysmon Event ID 7 (Image Load) for the DLL being loaded by odbcconf. Security Event ID 4688.
- Test 2Odbcconf Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then odbcconf.exe with ParentImage=powershell.exe, REGSVR in command line. Both SuspiciousParent and REGSVRFlag fire.
- Test 3Odbcconf Response File Execution
Expected signal: Sysmon Event ID 11: RSP file written to Temp. Sysmon Event ID 1: odbcconf.exe with /S /F and Temp path for the response file. The REGSVR instruction is inside the file, not on the command line.
References (6)
- https://attack.mitre.org/techniques/T1218/008/
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe
- https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
- https://www.cybereason.com/blog/threat-alert-bumblebee-malware
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md
Unlock Pro Content
Get the full detection package for T1218.008 including response playbook, investigation guide, and atomic red team tests.