public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-28 15:58:24 +01:00
Code Issues Projects Releases Wiki Activity

Updating odbcconf, fixes #282 - thanks @hexacorn (#283)

Browse Source
This commit is contained in:
Wietze 2023-03-25 16:14:04 +00:00 committed by GitHub
parent 2b7fdcac03
commit 06f33c91ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
yml/OSBinaries/Odbcconf.yml
View File

@ -4,15 +4,23 @@ Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
- Command: odbcconf -f file.rsp - Command: odbcconf /a {REGSVR c:\test\test.dll}
Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file. Description: Execute DllREgisterServer from DLL specified.
Usecase: Execute dll file using technique that can evade defensive counter measures Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218.008 MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: odbcconf /a {REGSVR c:\test\test.dll} - Command: odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
Description: Execute DllREgisterServer from DLL specified. odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
Description: Install a driver and load the DLL. Requires administrator privileges.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute Category: Execute
Privileges: User Privileges: User
@ -22,7 +30,7 @@ Full_Path:
- Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe
Code_Sample: Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@ -30,7 +38,7 @@ Detection:
Resources: Resources:
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- Link: https://github.com/woanware/application-restriction-bypasses - Link: https://github.com/woanware/application-restriction-bypasses
- Link: https://twitter.com/Hexacorn/status/1187143326673330176 - Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'