System Binary Proxy Execution: Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[1] The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). [2][3][4]

ID: T1218.008
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Defense Bypassed: Application control, Digital Certificate Validation
Version: 2.0
Created: 24 January 2020
Last Modified: 11 March 2022

Procedure Examples

ID Name Description
S1039 Bumblebee

Bumblebee can use odbcconf.exe to run DLLs on targeted hosts.[5]

G0080 Cobalt Group

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.[4]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Odbcconf.exe may not be necessary within a given environment.

M1038 Execution Prevention

Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.

DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009 Process Process Creation

Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

References