Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| ParentProcessName | List of approved processes that may legitimately invoke odbcconf.exe |
| AllowedCommandPatterns | Known-good odbcconf.exe arguments in the environment |
| TimeWindow | Time range for correlating module loads and network activity after odbcconf.exe execution |
| ApprovedModuleHashes | Baseline of legitimate DLLs loaded by odbcconf.exe |