ODBCCONF

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Odbcconf.exe is digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}).

Example

With this example just by simple using the command-line payloads offered on MITRE we get proper execution.

Process Explorer

It is also demonstrated that we can execute rsp payloads, the file will contain the REGSVR parameter and the file we are executing in this sample the directory of the payloads is located in the same working directory as the file

Demo

References:

https://github.com/woanware/application-restriction-bypasses

https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

PreviousMSIEXEC NextRegsvcs/Regasm

Last updated 3 years ago