Suspicious Driver/DLL Installation Via Odbcconf.EXE

About the rule

Rule Type

Standard

Rule Description

Odbcconf.exe is a legitimate Windows utility designed for configuring Open Database Connectivity (ODBC) drivers and data source names. Attackers can abuse this process to proxy the execution of malicious DLLs or drivers, often bypassing application control and whitelisting mechanisms by leveraging trusted Windows binaries (Living-off-the-Land Binaries, or LOLBins). This rule detects suspicious invocations of odbcconf.exe such as usage of the REGSVR, INSTALLDRIVER, or CONFIGDRIVER actions to register DLLs located in unusual directories, or to execute files with non-standard extensions.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Abuse of odbcconf.exe → Command and Control or Persistence → Impact

Impact

• Malicious code execution under a trusted process
• Persistence via rogue driver/DLL registration
• Elevated privileges or lateral movement
• System compromise

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - Odbcconf (T1218.008)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of a suspicious invocation of odbcconf.exe that attempts to install or register a driver/DLL, such as unexpected use of the REGSVR or INSTALLDRIVER action or non-standard DLL locations. This enables you to review process usage, inspect driver/DLL sources, and identify unauthorized or anomalous executions, supporting proactive monitoring and rapid response to threats involving odbcconf.exe.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may trigger during legitimate administrative tasks or approved enterprise software deployments that leverage odbcconf.exe for valid driver or DLL updates. Always review file paths, command-line usage, and driver origins for legitimacy.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update allowlists and detection rules, refine monitoring policies, and continue periodic review of odbcconf.exe usage in your environment.

Mitigation