Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-2 | Baseline Configuration | Protects | T1218.008 | Odbcconf |
CM-6 | Configuration Settings | Protects | T1218.008 | Odbcconf |
CM-7 | Least Functionality | Protects | T1218.008 | Odbcconf |
CM-8 | System Component Inventory | Protects | T1218.008 | Odbcconf |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1218.008 | Odbcconf |
SI-10 | Information Input Validation | Protects | T1218.008 | Odbcconf |
SI-4 | System Monitoring | Protects | T1218.008 | Odbcconf |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1218.008 | Odbcconf |