# ODBCCONF

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Odbcconf.exe is digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}).

**Example**

With this example just by simple using the command-line payloads offered on MITRE we get proper execution.

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRkYJOaYqP1MTpXbWbc%2F-MRkYR5DrTv2MuG4djbi%2Fimage.png?alt=media\&token=b267f2ee-08e1-4be9-aeb5-1fc6e0ddf475)

Process Explorer

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRkYJOaYqP1MTpXbWbc%2F-MRkYRoeafEKGqvDbeQf%2Fimage.png?alt=media\&token=857c16bb-1af3-4fb1-8b11-eafd97e5b4be)

It is also demonstrated that we can execute **rsp** payloads, the file will contain the REGSVR parameter and the file we are executing in this sample the directory of the payloads is located in the same working directory as the file

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRkYJOaYqP1MTpXbWbc%2F-MRkYSctDJ-UKJMQJ7m_%2Fimage.png?alt=media\&token=5dd5c5e8-8947-47f4-9cc3-050214f38692)

Demo

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRkYJOaYqP1MTpXbWbc%2F-MRkYT_qfUBayz3KgzmV%2Fimage.png?alt=media\&token=f5517d6b-0f98-4ced-ba5f-820040a9a231)

References:

<https://github.com/woanware/application-restriction-bypasses>

<https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b>

<https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1218-signed-binary-proxy-execution/untitled-4.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.