title: Odbcconf (T1218.008)
id: df00tech-t1218-008
status: experimental
description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows configuration of Open Database Connectivity (ODBC) drivers and data source names. Like regsvr32, odbcconf.exe has a REGSVR flag that can be abused to execute DLLs (e.g., odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). Since odbcconf.exe is digitally signed by Microsoft, it can bypass application control solutions that allowlist Microsoft-signed binaries. Groups including Cobalt Group, Bumblebee malware, and Raspberry Robin have leveraged this technique for DLL execution."
references:
  - https://attack.mitre.org/techniques/T1218/008/
  - https://df00tech.com/detections/T1218.008
author: df00tech
date: 2026/04/19
tags:
  - attack.t1218.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate ODBC driver installation procedures that use odbcconf.exe /A {REGSVR ...} to register ODBC drivers from vendor paths"
  - "Database connectivity software (Oracle, SQL Server, MySQL) that registers ODBC drivers via odbcconf.exe during installation"
  - IT administration scripts that configure ODBC data sources for database applications
  - Enterprise applications with custom ODBC drivers that register them via odbcconf.exe
level: high