Skip to content

DET0486 Detecting Odbcconf Proxy Execution of Malicious DLLs

Item Value
ID DET0486
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1218.008 (Odbcconf)

Analytics

Windows

AN1335

Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR …} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
ParentProcessName List of approved processes that may legitimately invoke odbcconf.exe
AllowedCommandPatterns Known-good odbcconf.exe arguments in the environment
TimeWindow Time range for correlating module loads and network activity after odbcconf.exe execution
ApprovedModuleHashes Baseline of legitimate DLLs loaded by odbcconf.exe