Description
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
Odbcconf.exe may not be necessary within a given environment.
Execution PreventionM1038
Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used <code>odbcconf</code> to proxy the execution of malicious DLL files.(Citation: TrendMic... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use `odbcconf.exe` to run DLLs on targeted hosts.(Citation: Cybereason Bumblebee August 2022) |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) uses the Windows utility odbcconf.exe to execute malicious commands, using the <code>regsvr... |
References
- Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019.
- Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
- LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.
- Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019.
Frequently Asked Questions
What is T1218.008 (Odbcconf)?
T1218.008 is a MITRE ATT&CK technique named 'Odbcconf'. It belongs to the Stealth tactic(s). Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source na...
How can T1218.008 be detected?
Detection of T1218.008 (Odbcconf) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.008?
There are 2 documented mitigations for T1218.008. Key mitigations include: Disable or Remove Feature or Program, Execution Prevention.
Which threat groups use T1218.008?
Known threat groups using T1218.008 include: Cobalt Group.