Skip to content
Reverse Engineering
Living off the Landintermediate

Odbcconf Proxy Execution

Attackers abuse the signed odbcconf.exe REGSVR action to load and execute a malicious DLL under a trusted Windows binary.

odbcconf.exe is a signed, Microsoft-shipped command-line utility for configuring ODBC drivers and data sources. Among its actions is REGSVR, which registers an ODBC driver DLL — and in doing so loads that DLL and calls its DllRegisterServer entry point. That gives an attacker a clean way to execute arbitrary DLL code through a trusted binary, very much like regsvr32.exe, but through a utility that is far less commonly monitored.

Because odbcconf.exe is signed and present by default, it helps attackers defeat application allow-listing and blend into the noise of system administration. An analyst encounters it as a proxy: the malicious logic lives in a DLL, but the process tree shows the signed odbcconf.exe performing the load. It can also consume actions from a response (.rsp) file, which moves the giveaway command line out of plain sight.

How it works

The most direct form passes the REGSVR action with a DLL path on the command line:

text
odbcconf.exe /a {REGSVR C:\Users\Public\driver.dll}

odbcconf loads driver.dll and invokes its DllRegisterServer export — which malware uses as its execution entry point, identical to the regsvr32 pattern. A stealthier variant stores the action in a response file and points odbcconf at it (/f payload.rsp), so the REGSVR directive and DLL path never appear directly in the parent command line. Analysts should flag any odbcconf.exe carrying /a, REGSVR, /f, or a DLL reference in a user-writable path: legitimate ODBC configuration rarely registers DLLs from %TEMP%, %APPDATA%, or \Public\.

Detection & analysis

Static analysis:

  • Inspect the referenced DLL: examine the export table for DllRegisterServer and compare against a known-good ODBC driver. Unsigned DLLs, a DllRegisterServer that immediately spawns processes or beacons, and DLLs sitting in user-writable directories are red flags.
  • If a response file is used, read it — it is plain text. Look for REGSVR actions, DLL paths, and chained directives. Triage the command line with regex/YARA for REGSVR, /a, /f, and DLL paths outside system directories.

Dynamic analysis:

  • Under Procmon/API Monitor, observe the LoadLibrary target and the call into DllRegisterServer. Legitimate odbcconf updates registry ODBC keys quietly; a registration that opens network sockets or spawns powershell.exe/cmd.exe is highly suspicious.
  • Examine the parent/child tree in a sandbox. Benign odbcconf.exe is launched by installers or admin scripts; malicious instances are commonly spawned by Office apps, wscript.exe, powershell.exe, or cmd.exe, and often spawn further children.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \odbcconf.exe AND (the command line contains REGSVR, /a, or /f, OR references a .dll/.rsp in a user-writable directory, OR the parent process is an Office application or script host). Correlate with Sysmon Event ID 7 (image/DLL load) of an unsigned DLL by the odbcconf PID, and Event ID 3 (network) to surface DLL-based C2.

Votes

Comments(0)