Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[1] The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). [2][3][4]
| ID | Name | Description |
|---|---|---|
| S1039 | Bumblebee |
Bumblebee can use |
| G0080 | Cobalt Group |
Cobalt Group has used |
| S1130 | Raspberry Robin |
Raspberry Robin uses the Windows utility odbcconf.exe to execute malicious commands, using the |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Odbcconf.exe may not be necessary within a given environment. |
| M1038 | Execution Prevention |
Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0486 | Detecting Odbcconf Proxy Execution of Malicious DLLs | AN1335 |
Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL. |