Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-11 | User-installed Software | Protects | T1218.008 | Odbcconf |
| CM-2 | Baseline Configuration | Protects | T1218.008 | Odbcconf |
| CM-6 | Configuration Settings | Protects | T1218.008 | Odbcconf |
| CM-7 | Least Functionality | Protects | T1218.008 | Odbcconf |
| CM-8 | System Component Inventory | Protects | T1218.008 | Odbcconf |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1218.008 | Odbcconf |
| SI-10 | Information Input Validation | Protects | T1218.008 | Odbcconf |
| SI-16 | Memory Protection | Protects | T1218.008 | Odbcconf |
| SI-3 | Malicious Code Protection | Protects | T1218.008 | Odbcconf |
| SI-4 | System Monitoring | Protects | T1218.008 | Odbcconf |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1218.008 | Odbcconf |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.008 | Signed Binary Proxy Execution: Odbcconf |