Process

unknown

odbcconf.exe

odbcconf.exe is the ODBC configuration tool, used to configure ODBC drivers and data sources from the command line. It is rarely seen in normal use. Attackers abuse its ability to register a DLL to run a malicious DLL through a signed Microsoft binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • odbcconf /a {REGSVR {PATH_ABSOLUTE:.dll}}Execute · Execute a DLL file using technique that can evade defensive counter measures
  • odbcconf INSTALLDRIVER "lolbas-project|Driver={PATH_ABSOLUTE:.dll}|APILevel=2" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"Execute · Execute dll file using technique that can evade defensive counter measures
  • odbcconf -f {PATH:.rsp}Execute · Execute dll file using technique that can evade defensive counter measures

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

odbcconf.exe sets up ODBC drivers and data source names (DSNs). One of its actions, REGSVR, registers a DLL, and in doing so it loads that DLL and calls into it, which is the behavior attackers repurpose. It can also take its actions from a response file. The genuine binary lives at C:\Windows\System32\odbcconf.exe, with a 32-bit copy under SysWOW64.

Legitimately, odbcconf is run by administrators and database-driver installers to configure ODBC, which is uncommon on most endpoints. The action it performs and the DLL or response file it is given are what give an instance meaning.

Security notes

odbcconf.exe is a system-binary proxy (T1218.008). Its REGSVR action loads and registers a DLL, so an attacker runs odbcconf /a {REGSVR evil.dll} to have the signed Microsoft binary load and execute their DLL, bypassing application-control rules that trust Microsoft binaries. A response file can carry the same instruction to obscure the command line.

Because ODBC configuration is rare on ordinary hosts, odbcconf running at all is notable, and a REGSVR of a DLL from a temp or download folder, or a parent like an Office application, marks it as abuse rather than driver setup.

Anomaly signals5
  • A REGSVR action loading a DLL from a user-writable pathhigh
  • A response file (/f) from a temp or download locationhigh
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • odbcconf spawning a shell or making outbound network connectionshigh
  • Run on a host with no ODBC or database-driver activitymed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof odbcconf.exe?
Edit this page on GitHub