mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
31 lines
919 B
YAML
31 lines
919 B
YAML
title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe
|
|
description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file
|
|
status: experimental
|
|
references:
|
|
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml
|
|
author: Beyu Denis, Daniil Yugoslavskiy, oscd.community
|
|
date: 2019/10/25
|
|
modified: 2019/11/04
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.execution
|
|
- attack.t1218
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_1:
|
|
Image: '*\odbcconf.exe'
|
|
selection_2:
|
|
CommandLine|contains|all:
|
|
- '-f'
|
|
- '.rsp'
|
|
selection_3:
|
|
CommandLine|contains|all:
|
|
- 'regsvr'
|
|
- '.dll'
|
|
condition: selection_1 and ( selection_2 or selection_3 )
|
|
level: medium
|
|
falsepositives:
|
|
- Legitimate use of odbcconf.exe by legitimate user
|