odbcconf.exe

  • File Path: C:\Windows\system32\odbcconf.exe
  • Description: ODBC Driver Configuration Program

Screenshot

odbcconf.exe

Hashes

Type Hash
MD5 4D7DE33E313C4E6E55FF977BB7E71512
SHA1 262721EE13C92836F7F819C5ECFF389C4D80240F
SHA256 60DA7053B6509A1B5B4C443901EC520F34142EDD61B2DE5092D1EE8276C37E2D
SHA384 7477F0AE4AAF2AE09F385923EF1CEDD361E8D95918FB226B6D719AA07B3C7F687B4EFAF9A13E4126E9D873841343C366
SHA512 66AD6ADD0E93A467B6349E5BAC68F4C4AAF9F489DCFA4329E613CD4E2CF72C24A6A0A2A70C10F852148FDE9D9E8344D1B508EFAA435480C39C6F0B70F583A597
SSDEEP 768:MkdrsPEqAHuaabx3KbY8N5OYtpH30vNkb2:ldQEqAOa3bYingab2

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: odbcconf.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of odbcconf.exe being misused. While odbcconf.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_odbcconf.yml title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml description: Detects defence evasion attempt via odbcconf.exe execution to load DLL DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml Image\|endswith: '\odbcconf.exe' DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml ParentImage\|endswith: '\odbcconf.exe' DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml - Legitimate use of odbcconf.exe by legitimate user DRL 1.0
LOLBAS Odbcconf.yml Name: Odbcconf.exe  
LOLBAS Odbcconf.yml - Command: odbcconf -f file.rsp  
LOLBAS Odbcconf.yml - Command: odbcconf /a {REGSVR c:\test\test.dll}  
LOLBAS Odbcconf.yml - Path: C:\Windows\System32\odbcconf.exe  
LOLBAS Odbcconf.yml - Path: C:\Windows\SysWOW64\odbcconf.exe  
atomic-red-team index.md - T1218.008 Odbcconf MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.008 Odbcconf MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Shortcut Modification | Valid Accounts CONTRIBUTE A TEST | Odbcconf | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Shortcut Modification | Winlogon Helper DLL | Odbcconf | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md # T1218.008 - Odbcconf MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md <blockquote>Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft. MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md - Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md ## Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md odbcconf.exe /S /A {REGSVR “#{dll_payload}”} MIT License. © 2018 Red Canary
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml name: Signed Binary Execution - odbcconf Apache-2.0
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml description: Leverage odbcconf for DLL injection Apache-2.0
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml odbcconf.exe /S /A {REGSVR "C:\Users\Public\sandcat.dll"} Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.