Skip to content

Hide Navigation Hide TOC

New DLL Registered Via Odbcconf.EXE (9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70)

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Cluster A Galaxy A Cluster B Galaxy B Level
New DLL Registered Via Odbcconf.EXE (9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70) Sigma-Rules Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2