Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_odbcconf_exec_susp_locations

3description: |

4 Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\odbcconf.exe' || evt.Parsed.OriginalFileName == 'odbcconf.exe') && (evt.Parsed.CommandLine contains ':\\PerfLogs\\' || evt.Parsed.CommandLine contains ':\\ProgramData\\' || evt.Parsed.CommandLine contains ':\\Temp\\' || evt.Parsed.CommandLine contains ':\\Users\\Public\\' || evt.Parsed.CommandLine contains ':\\Windows\\Registration\\CRMLog' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\com\\dmp\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\FxsTmp\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\spool\\drivers\\color\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\spool\\PRINTERS\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\spool\\SERVERS\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\Tasks_Migrated\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\' || evt.Parsed.CommandLine contains ':\\Windows\\SysWOW64\\com\\dmp\\' || evt.Parsed.CommandLine contains ':\\Windows\\SysWOW64\\FxsTmp\\' || evt.Parsed.CommandLine contains ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\' || evt.Parsed.CommandLine contains ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\' || evt.Parsed.CommandLine contains ':\\Windows\\Tasks\\' || evt.Parsed.CommandLine contains ':\\Windows\\Temp\\' || evt.Parsed.CommandLine contains ':\\Windows\\Tracing\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\Temp\\' || evt.Parsed.CommandLine contains '\\AppData\\Roaming\\'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1218.008

16 label: "Odbcconf.EXE Suspicious DLL Location"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_odbcconf_exec_susp_locations »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1218confidence:1

« proc_creation_win_odbcconf_exec_susp_locations »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1218confidence:1