Skip to content

Commit 06f33c9

Browse files
wietzewietze
authored
Updating odbcconf, fixes #282 - thanks @hexacorn (#283)
1 parent 2b7fdca commit 06f33c9

File tree

1 file changed

+14
-6
lines changed

1 file changed

+14
-6
lines changed

yml/OSBinaries/Odbcconf.yml

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,23 @@ Description: Used in Windows for managing ODBC connections
44
Author: 'Oddvar Moe'
55
Created: 2018-05-25
66
Commands:
7-
- Command: odbcconf -f file.rsp
8-
Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
7+
- Command: odbcconf /a {REGSVR c:\test\test.dll}
8+
Description: Execute DllREgisterServer from DLL specified.
99
Usecase: Execute dll file using technique that can evade defensive counter measures
1010
Category: Execute
1111
Privileges: User
1212
MitreID: T1218.008
1313
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
14-
- Command: odbcconf /a {REGSVR c:\test\test.dll}
15-
Description: Execute DllREgisterServer from DLL specified.
14+
- Command: odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
15+
odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
16+
Description: Install a driver and load the DLL. Requires administrator privileges.
17+
Usecase: Execute dll file using technique that can evade defensive counter measures
18+
Category: Execute
19+
Privileges: User
20+
MitreID: T1218.008
21+
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
22+
- Command: odbcconf -f file.rsp
23+
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
1624
Usecase: Execute dll file using technique that can evade defensive counter measures
1725
Category: Execute
1826
Privileges: User
@@ -22,15 +30,15 @@ Full_Path:
2230
- Path: C:\Windows\System32\odbcconf.exe
2331
- Path: C:\Windows\SysWOW64\odbcconf.exe
2432
Code_Sample:
25-
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
33+
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp
2634
Detection:
2735
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
2836
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
2937
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
3038
Resources:
3139
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
3240
- Link: https://github.com/woanware/application-restriction-bypasses
33-
- Link: https://twitter.com/Hexacorn/status/1187143326673330176
41+
- Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
3442
Acknowledgement:
3543
- Person: Casey Smith
3644
Handle: '@subtee'

0 commit comments

Comments
 (0)