feat: add/update rules related to odbcconf (#4228)

2023-05-23 08:08:56 -04:00
parent ce15b7dc8c
commit cd71edc09c
11 changed files with 360 additions and 2 deletions
@@ -1,6 +1,6 @@
 title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
 id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
-status: test
+status: deprecated
 description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca
 author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/25
-modified: 2023/02/09
+modified: 2023/05/22
 tags:
    - attack.defense_evasion
    - attack.t1218.008
@@ -0,0 +1,32 @@
+title: Driver/DLL Installation Via Odbcconf.EXE
+id: 3f5491e2-8db8-496b-9e95-1029fce852d4
+related:
+    - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
+      type: similar
+status: experimental
+description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        # Note: The "/A" flag is not required to call a specific action
+        CommandLine|contains|all:
+            - 'INSTALLDRIVER '
+            - '.dll'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.
+level: medium
@@ -0,0 +1,32 @@
+title: Suspicious Driver/DLL Installation Via Odbcconf.EXE
+id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
+related:
+    - id: 3f5491e2-8db8-496b-9e95-1029fce852d4
+      type: derived
+status: experimental
+description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/23
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        # Note: The "/A" flag is not required to call a specific action
+        CommandLine|contains: 'INSTALLDRIVER '
+    filter_main_dll_ext:
+        CommandLine|contains: '.dll'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,48 @@
+title: Odbcconf.EXE Suspicious DLL Location
+id: 6b65c28e-11f3-46cb-902a-68f2cafaf474
+status: experimental
+description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
+    - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        # Note: Add more suspicious locations
+        CommandLine|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Registration\CRMLog'
+            - ':\Windows\System32\com\dmp\'
+            - ':\Windows\System32\FxsTmp\'
+            - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
+            - ':\Windows\System32\spool\drivers\color\'
+            - ':\Windows\System32\spool\PRINTERS\'
+            - ':\Windows\System32\spool\SERVERS\'
+            - ':\Windows\System32\Tasks_Migrated\'
+            - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
+            - ':\Windows\SysWOW64\com\dmp\'
+            - ':\Windows\SysWOW64\FxsTmp\'
+            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
+            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - ':\Windows\Tracing\'
+            - '\AppData\Local\Temp\'
+            - '\AppData\Roaming\'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,35 @@
+title: New DLL Registered Via Odbcconf.EXE
+id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
+related:
+    - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
+      type: similar
+status: experimental
+description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://redcanary.com/blog/raspberry-robin/
+    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
+author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        # Note: The "/A" flag is not required to call a specific action
+        CommandLine|contains|all:
+            - 'REGSVR '
+            - '.dll'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
+level: medium
@@ -0,0 +1,32 @@
+title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
+id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
+related:
+    - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
+      type: derived
+status: experimental
+description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        # Note: The "/A" flag is not required to call a specific action
+        CommandLine|contains: 'REGSVR '
+    filter_main_dll_ext:
+        CommandLine|contains: '.dll'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,36 @@
+title: Response File Execution Via Odbcconf.EXE
+id: 5f03babb-12db-4eec-8c82-7b4cb5580868
+related:
+    - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
+      type: similar
+    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
+      type: obsoletes
+status: experimental
+description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' -f '
+            - ' /f '
+    selection_rsp_ext:
+        CommandLine|contains: '.rsp'
+    condition: all of selection_*
+falsepositives:
+    - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
+level: medium
@@ -0,0 +1,39 @@
+title: Suspicious Response File Execution Via Odbcconf.EXE
+id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
+related:
+    - id: 5f03babb-12db-4eec-8c82-7b4cb5580868
+      type: derived
+    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
+      type: obsoletes
+status: experimental
+description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' -f '
+            - ' /f '
+    filter_main_rsp_ext:
+        CommandLine|contains: '.rsp'
+    filter_main_runonce_odbc:
+        # When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot
+        ParentImage: 'C:\Windows\System32\runonce.exe'
+        CommandLine|contains: '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,24 @@
+title: Uncommon Child Process Spawned By Odbcconf.EXE
+id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
+status: experimental
+description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
+references:
+    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
+    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
+    - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
+author: Harjot Singh @cyb3rjy0t
+date: 2023/05/22
+tags:
+    - attack.defense_evasion
+    - attack.t1218.008
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\odbcconf.exe'
+    condition: selection
+falsepositives:
+    - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
+    - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
+level: medium
@@ -0,0 +1,33 @@
+title: New ODBC Driver Registered
+id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
+status: experimental
+description: Detects the registration of a new ODBC driver.
+references:
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/23
+tags:
+    - attack.persistence
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
+        TargetObject|endswith: '\Driver'
+    filter_main_sqlserver:
+        TargetObject|contains: '\SQL Server\'
+        Details: '%WINDIR%\System32\SQLSRV32.dll'
+    filter_optional_office_access:
+        TargetObject|contains: '\Microsoft Access '
+        Details|startswith: 'C:\Progra'
+        Details|endswith: '\ACEODBC.DLL'
+    filter_optional_office_excel:
+        TargetObject|contains: '\Microsoft Excel Driver'
+        Details|startswith: 'C:\Progra'
+        Details|endswith: '\ACEODBC.DLL'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Likely
+level: low
@@ -0,0 +1,47 @@
+title: Potentially Suspicious ODBC Driver Registered
+id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
+status: experimental
+description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
+references:
+    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/23
+tags:
+    - attack.persistence
+    - attack.t1003
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
+        TargetObject|endswith:
+            - '\Driver'
+            - '\Setup'
+        Details|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Registration\CRMLog'
+            - ':\Windows\System32\com\dmp\'
+            - ':\Windows\System32\FxsTmp\'
+            - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
+            - ':\Windows\System32\spool\drivers\color\'
+            - ':\Windows\System32\spool\PRINTERS\'
+            - ':\Windows\System32\spool\SERVERS\'
+            - ':\Windows\System32\Tasks_Migrated\'
+            - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
+            - ':\Windows\SysWOW64\com\dmp\'
+            - ':\Windows\SysWOW64\FxsTmp\'
+            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
+            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - ':\Windows\Tracing\'
+            - '\AppData\Local\Temp\'
+            - '\AppData\Roaming\'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high