Skip to content

T1218.008 Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.1 The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR “C:\Users\Public\file.dll”}). 234

Item Value
ID T1218.008
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Permissions required User
Version 2.0
Created 24 January 2020
Last Modified 11 March 2022

Procedure Examples

ID Name Description
G0080 Cobalt Group Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.4

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Odbcconf.exe may not be necessary within a given environment.
M1038 Execution Prevention Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation

References

  1. Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019. 

  2. LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019. 

  3. Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019. 

  4. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

Back to top