heroui logo

Potentially Suspicious DLL Registered Via Odbcconf.EXE

Sigma Rules

View Source
Summary
This detection rule identifies suspicious usage of the "odbcconf.exe" utility, particularly when it is executed with a command line argument indicating a "REGSVR" action. This action is typically associated with registering Dynamic Link Libraries (DLLs) in Windows systems. The key aspect of this rule is that it targets instances where the DLL being registered does not have a proper ".dll" file extension, which can be indicative of an evasion tactic employed by malicious actors. Attackers may attempt to bypass security measures by disguising harmful payloads as legitimate functions to avoid detection. As such, this rule is beneficial for monitoring processes that involve ODBC configuration and helps in catching potential threats that utilize this method for attack execution.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2023-05-22