Date: 02/04/2025
Severity: Medium
Summary
The detection of "odbcconf" execution with the "-f" flag indicates an attempt to load a response file that does not have the typical ".rsp" extension, suggesting potentially suspicious activity.
Indicators of Compromise (IOC) List
Image | '\odbcconf.exe' 'C:\Windows\System32\odbcconf.exe' |
OriginalFileName | 'odbcconf.exe' |
CommandLine | ' -f ' '.rsp' '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"' |
ParentImage | 'C:\Windows\System32\runonce.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename in ("Windows Security") AND eventtype = "4688" AND newprocessname like "\odbcconf.exe" AND processname like "odbcconf.exe" AND commandline like "-f" AND commandline not like ".rsp" AND parentprocessname not like "C:\Windows\System32\runonce.exe" AND processname like "C:\Windows\System32\odbcconf.exe" AND commandline not like ".exe /E /F \"C:\WINDOWS\system32\odbcconf.tmp\"" |
Detection Query 2 | technologygroup = "EDR" AND newprocessname like "\odbcconf.exe" AND processname like "odbcconf.exe" AND commandline like "-f" AND commandline not like ".rsp" AND parentprocessname not like "C:\Windows\System32\runonce.exe" AND processname like "C:\Windows\System32\odbcconf.exe" AND commandline not like ".exe /E /F \"C:\WINDOWS\system32\odbcconf.tmp\"" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml