From 13093c879e6e748fccc2475c121d7f99f9fa010c Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Thu, 24 Oct 2019 10:01:44 +0200
Subject: [PATCH] Updated odbcconf.exe with discovery from @Hexacorn <3

---
 yml/OSBinaries/Odbcconf.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml
index b654bac..2ed0304 100644
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@@ -12,6 +12,14 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: odbcconf /a {REGSVR c:\test\test.dll}
+    Description: Execute DllREgisterServer from DLL specified.
+    Usecase: Execute dll file using technique that can evade defensive counter measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\odbcconf.exe
   - Path: C:\Windows\SysWOW64\odbcconf.exe
@@ -22,7 +30,10 @@ Detection:
 Resources:
   - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
   - Link: https://github.com/woanware/application-restriction-bypasses
+  - Link: https://twitter.com/Hexacorn/status/1187143326673330176
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
+  - Person: Adam
+    Handle: '@Hexacorn'
 ---
\ No newline at end of file