heroui logo

New DLL Registered Via Odbcconf.EXE

Sigma Rules

View Source
Summary
This rule detects the execution of the 'odbcconf.exe' process with the 'REGSVR' command, which indicates that a new Dynamic Link Library (DLL) is being registered. This action is notably similar to running 'regsvr32', a legitimate Windows utility for registering DLLs. However, attackers can misuse this functionality to register and execute malicious DLLs. The detection mechanism relies on identifying instances where 'odbcconf.exe' is invoked with command-line arguments that indicate DLL registration. Specifically, the detection focuses on capturing command lines containing 'REGSVR' and referencing '.dll' files. If either condition is met and 'odbcconf.exe' is confirmed as the running image, an alert is generated. Given the nature of this activity, potential false positives may arise from legitimate uses of 'odbcconf', hence investigation into the associated DLL's path and contents is recommended to ascertain the legitimacy of the registration attempt.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • Process
Created: 2023-05-22