Suspicious Response File Execution Via Odbcconf.EXE

Original Source: [Sigma source]
Title: Suspicious Response File Execution Via Odbcconf.EXE
Status: test
Description:Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
References:
  -https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
   -https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
   -https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
 Author: Nasreddine Bencherchali (Nextron Systems)
Date: 2023-05-22
modified:2024-03-13
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1218.008'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_img:
Image|endswith:'\odbcconf.exe' OriginalFileName:'odbcconf.exe'   selection_cli:
    CommandLine|contains|windash: ' -f '
  filter_main_rsp_ext:
    CommandLine|contains: '.rsp'
  filter_main_runonce_odbc:
    ParentImage: 'C:\Windows\System32\runonce.exe'
    Image: 'C:\Windows\System32\odbcconf.exe'
    CommandLine|contains: '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"'
  condition:all of selection_* and not 1 of filter_main_*
Falsepositives:
  -Unlikely
Level: high

© 2024 DetectionCode Website. All Rights Reserved.