AN1335: Analytic 1335
Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL.
Analyst context for executives and security teams
This analytic focuses on suspicious use of Windows odbcconf.exe to load DLLs through REGSVR-related arguments. For leaders, the practical issue is that a legitimate Windows utility can become the execution path for untrusted code, which may reduce the value of simple allow-list assumptions and complicate incident triage.
Executive priority
Prioritize this as a Windows detection and response validation item: can the SOC prove when odbcconf.exe is used with REGSVR-style arguments, what DLL it loads, whether that DLL is signed or expected, and whether follow-on process or network behavior occurs? This supports incident decision-making, control assurance, and audit evidence around monitoring of legitimate administrative binaries used in suspicious ways.
Technical view
Validate coverage for the described behavior chain on Windows: process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments, DLL load activity by odbcconf.exe involving non-standard or unsigned modules, and any optional follow-on process creation or network activity from the loaded DLL. Because no official detection logic is supplied, teams should build and test detections from local telemetry rather than assume coverage from the ATT&CK entry alone.
Likely telemetry
- Windows process creation events including executable path, command line, parent process, user, and timestamp
- Module or DLL load telemetry for odbcconf.exe, including file path and signature status where available
- File metadata for loaded DLLs, including signer, hash, location, and prevalence in the environment
- Child process creation events following odbcconf.exe execution
- Network connection telemetry associated with odbcconf.exe or immediate child processes
Detection direction
- Alert or hunt on odbcconf.exe command lines containing /REGSVR or /A {REGSVR ...}, then enrich with parent process, user context, and host role.
- Correlate matching process creation with DLL loads by odbcconf.exe, focusing on unsigned, uncommon, or non-standard module paths.
- Review follow-on process creation or network activity after the DLL load to separate benign administrative use from higher-risk execution chains.
- Tune using known legitimate administrative or software installation activity to reduce false positives without suppressing visibility into rare odbcconf.exe REGSVR usage.
- Confirm that endpoint telemetry captures both command-line arguments and module loads; missing either creates a material blind spot for this analytic.
Mitigation priorities
- First, ensure endpoint logging is configured to capture process command lines and DLL/module load evidence on Windows systems where this behavior matters.
- Next, baseline legitimate odbcconf.exe usage so detections can focus on unusual REGSVR invocation patterns and unexpected DLL locations or signatures.
- Then, apply least-privilege and software execution controls where appropriate to limit untrusted DLL execution through legitimate Windows binaries.
- Finally, incorporate this analytic into incident response playbooks so analysts know to collect the loaded DLL, parent/child process details, signature status, and related network evidence.
Analyst notes and limits
This is a detection analytic, not a technique description with full tactic mapping. The supplied object names Windows as the platform and describes a specific odbcconf.exe REGSVR behavior chain. No relationship context is supplied, so this take avoids attribution, campaign linkage, or broader technique mapping beyond the official description.
Official detection content is not provided, tactics are not specified, and no relationships are supplied. Local environment baselining is required to determine what is normal, what telemetry is available, and which detections are reliable.
Analytic 1335
Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 93dcfdfa502f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1335Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.