Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.
Attacker's Goals
Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.
Investigative actions
- Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it.
- If the command-line contains '/f' argument (for script file) check the content of the script.