diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml b/deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml rename to deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml index c142b74e3..b5359b429 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml +++ b/deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml @@ -1,6 +1,6 @@ title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe id: 65d2be45-8600-4042-b4c0-577a1ff8a60e -status: test +status: deprecated description: Detects defence evasion attempt via odbcconf.exe execution to load DLL references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -9,7 +9,7 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2023/02/09 +modified: 2023/05/22 tags: - attack.defense_evasion - attack.t1218.008 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml new file mode 100644 index 000000000..87209a5ad --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -0,0 +1,32 @@ +title: Driver/DLL Installation Via Odbcconf.EXE +id: 3f5491e2-8db8-496b-9e95-1029fce852d4 +related: + - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 + type: similar +status: experimental +description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: + - 'INSTALLDRIVER ' + - '.dll' + condition: all of selection_* +falsepositives: + - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml new file mode 100644 index 000000000..301b86713 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -0,0 +1,32 @@ +title: Suspicious Driver/DLL Installation Via Odbcconf.EXE +id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 +related: + - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 + type: derived +status: experimental +description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/23 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'INSTALLDRIVER ' + filter_main_dll_ext: + CommandLine|contains: '.dll' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml new file mode 100644 index 000000000..1c55829fc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -0,0 +1,48 @@ +title: Odbcconf.EXE Suspicious DLL Location +id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 +status: experimental +description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html + - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + # Note: Add more suspicious locations + CommandLine|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Registration\CRMLog' + - ':\Windows\System32\com\dmp\' + - ':\Windows\System32\FxsTmp\' + - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\' + - ':\Windows\System32\spool\drivers\color\' + - ':\Windows\System32\spool\PRINTERS\' + - ':\Windows\System32\spool\SERVERS\' + - ':\Windows\System32\Tasks_Migrated\' + - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\' + - ':\Windows\SysWOW64\com\dmp\' + - ':\Windows\SysWOW64\FxsTmp\' + - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\' + - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\' + - ':\Windows\Tasks\' + - ':\Windows\Temp\' + - ':\Windows\Tracing\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml new file mode 100644 index 000000000..48340151f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -0,0 +1,35 @@ +title: New DLL Registered Via Odbcconf.EXE +id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 +related: + - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 + type: similar +status: experimental +description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://redcanary.com/blog/raspberry-robin/ + - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ + - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: + - 'REGSVR ' + - '.dll' + condition: all of selection_* +falsepositives: + - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml new file mode 100644 index 000000000..0440dd860 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -0,0 +1,32 @@ +title: Potentially Suspicious DLL Registered Via Odbcconf.EXE +id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 +related: + - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 + type: derived +status: experimental +description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'REGSVR ' + filter_main_dll_ext: + CommandLine|contains: '.dll' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml new file mode 100644 index 000000000..e212750ee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -0,0 +1,36 @@ +title: Response File Execution Via Odbcconf.EXE +id: 5f03babb-12db-4eec-8c82-7b4cb5580868 +related: + - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 + type: similar + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes +status: experimental +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + CommandLine|contains: + - ' -f ' + - ' /f ' + selection_rsp_ext: + CommandLine|contains: '.rsp' + condition: all of selection_* +falsepositives: + - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml new file mode 100644 index 000000000..189f0a8bf --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -0,0 +1,39 @@ +title: Suspicious Response File Execution Via Odbcconf.EXE +id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 +related: + - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 + type: derived + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes +status: experimental +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' + selection_cli: + CommandLine|contains: + - ' -f ' + - ' /f ' + filter_main_rsp_ext: + CommandLine|contains: '.rsp' + filter_main_runonce_odbc: + # When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot + ParentImage: 'C:\Windows\System32\runonce.exe' + CommandLine|contains: '.exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml new file mode 100644 index 000000000..cf2b81b8f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -0,0 +1,24 @@ +title: Uncommon Child Process Spawned By Odbcconf.EXE +id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 +status: experimental +description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. +references: + - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac +author: Harjot Singh @cyb3rjy0t +date: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\odbcconf.exe' + condition: selection +falsepositives: + - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process + - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml new file mode 100644 index 000000000..80ae864f8 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -0,0 +1,33 @@ +title: New ODBC Driver Registered +id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd +status: experimental +description: Detects the registration of a new ODBC driver. +references: + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/23 +tags: + - attack.persistence +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\' + TargetObject|endswith: '\Driver' + filter_main_sqlserver: + TargetObject|contains: '\SQL Server\' + Details: '%WINDIR%\System32\SQLSRV32.dll' + filter_optional_office_access: + TargetObject|contains: '\Microsoft Access ' + Details|startswith: 'C:\Progra' + Details|endswith: '\ACEODBC.DLL' + filter_optional_office_excel: + TargetObject|contains: '\Microsoft Excel Driver' + Details|startswith: 'C:\Progra' + Details|endswith: '\ACEODBC.DLL' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely +level: low diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml new file mode 100644 index 000000000..f255eaa09 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -0,0 +1,47 @@ +title: Potentially Suspicious ODBC Driver Registered +id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 +status: experimental +description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location +references: + - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/23 +tags: + - attack.persistence + - attack.t1003 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\' + TargetObject|endswith: + - '\Driver' + - '\Setup' + Details|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Registration\CRMLog' + - ':\Windows\System32\com\dmp\' + - ':\Windows\System32\FxsTmp\' + - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\' + - ':\Windows\System32\spool\drivers\color\' + - ':\Windows\System32\spool\PRINTERS\' + - ':\Windows\System32\spool\SERVERS\' + - ':\Windows\System32\Tasks_Migrated\' + - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\' + - ':\Windows\SysWOW64\com\dmp\' + - ':\Windows\SysWOW64\FxsTmp\' + - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\' + - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\' + - ':\Windows\Tasks\' + - ':\Windows\Temp\' + - ':\Windows\Tracing\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: selection +falsepositives: + - Unlikely +level: high