Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1218.008: Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[1] The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). [2][3][4]

EnterpriseT1218.008Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Odbcconf is a Windows utility that can be abused to make a trusted, Microsoft-signed system binary execute a malicious DLL. The business issue is not the tool itself; it is the blind spot created when controls allow native signed binaries without checking how they are being used.

Executive priority

Prioritize this where Windows application control, endpoint detection, or audit programs rely heavily on trusted publisher status. Leaders should ask whether execution-prevention policies explicitly account for system binary proxy execution, whether SOC teams can see suspicious odbcconf.exe usage, and whether incident responders can quickly determine what DLL was loaded and from where.

Technical view

This is a Windows sub-technique of System Binary Proxy Execution under the stealth tactic. ATT&CK notes abuse of odbcconf.exe, including its REGSVR capability, to proxy DLL execution and potentially bypass application control. There is no official ATT&CK detection text supplied, but the relationship to DET0486 indicates a detection strategy exists for Odbcconf proxy execution of malicious DLLs. SOC teams should validate visibility into odbcconf.exe process creation, command-line arguments, parent process, loaded DLL path, file provenance, and user context.

Likely telemetry

  • Windows process creation events for odbcconf.exe
  • Command-line arguments, especially REGSVR-related usage
  • Parent and child process relationships
  • DLL load or image load telemetry tied to odbcconf.exe
  • File path, signer, and hash metadata for DLLs referenced by odbcconf.exe

Detection direction

  • Baseline legitimate ODBC configuration activity before alerting on all odbcconf.exe execution.
  • Prioritize odbcconf.exe executions that reference DLL registration behavior, unusual user-writable paths, or unexpected parent processes.
  • Correlate process telemetry with DLL load and file metadata to distinguish administrative use from proxy execution.
  • Review application control logs for cases where odbcconf.exe is allowed solely because it is a trusted Windows binary.
  • Use relationship context carefully: ATT&CK links this technique to Cobalt Group, Bumblebee, and Raspberry Robin, but local telemetry is required before making attribution or campaign claims.

Mitigation priorities

  • Review execution-prevention controls so trusted system binaries are not implicitly allowed to execute arbitrary DLL content.
  • Apply application control rules that account for misuse of odbcconf.exe, not just file signature or Microsoft publisher status.
  • Disable or remove unnecessary features or programs where ODBC configuration tooling is not required, consistent with M1042.
  • For systems that require odbcconf.exe, restrict administrative use and monitor exceptions as compensating evidence.
Analyst notes and limits

This object is most useful as a control-validation case: can the organization detect and govern abuse of a legitimate Windows binary rather than only known malware files? It is also relevant for compliance evidence around application control effectiveness and SOC monitoring of living-off-the-land behavior.

Official ATT&CK detection text was not provided, and the supplied DET0486 relationship does not include detection logic details. Environment-specific baselines are required to determine normal ODBC administration activity, acceptable use of odbcconf.exe, and false-positive rates.

Official MITRE ATT&CK definition

Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[1] The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). [2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1218 System Binary Proxy Execution This object subtechnique of System Binary Proxy Execution.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0080: Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]

Malware Enterprise

S1039: Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[1][2][3]

Windows
Malware Enterprise

S1130: Raspberry Robin

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]

Windows
Relationship explorer

All related ATT&CK context

uses · Group G0080: Cobalt Group Enterprise subtechnique of · Technique T1218: System Binary Proxy Execution Enterprise detects · Detection Strategy DET0486: Detecting Odbcconf Proxy Execution of Malicious DLLs Enterprise uses · Malware S1039: Bumblebee Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Malware S1130: Raspberry Robin Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
6e60f87b2e8062ca...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 6e60f87b2e80…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft odbcconf.exe

    Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019.

    Open source URL
  2. [2]
    LOLBAS Odbcconf

    LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.

    Open source URL
  3. [3]
    TrendMicro Squiblydoo Aug 2017

    Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019.

    Open source URL
  4. [4]
    TrendMicro Cobalt Group Nov 2017

    Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.

    Open source URL
  5. [5]
    mitre-attack T1218.008
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use