Skip to content

Latest commit

 

History

History
54 lines (31 loc) · 1.96 KB

T1218.008.md

File metadata and controls

54 lines (31 loc) · 1.96 KB
Raw

T1218.008 - Odbcconf

Description from ATT&CK

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

Atomic Tests


Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
dll_payload DLL to execute Path PathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

odbcconf.exe /S /A {REGSVR "#{dll_payload}"}

Dependencies: Run with powershell!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"