Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.008 | Odbcconf | |
| CM-11 | User-installed Software | mitigates | T1218.008 | Odbcconf | |
| SI-16 | Memory Protection | mitigates | T1218.008 | Odbcconf | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1218.008 | Odbcconf | |
| CM-08 | System Component Inventory | mitigates | T1218.008 | Odbcconf | |
| SI-10 | Information Input Validation | mitigates | T1218.008 | Odbcconf | |
| SI-03 | Malicious Code Protection | mitigates | T1218.008 | Odbcconf | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1218.008 | Odbcconf | |
| CM-02 | Baseline Configuration | mitigates | T1218.008 | Odbcconf | |
| CM-07 | Least Functionality | mitigates | T1218.008 | Odbcconf | |
| SI-04 | System Monitoring | mitigates | T1218.008 | Odbcconf |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.008 | Odbcconf |