Technique on mitre.org

T1218.012: Verclsid

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of events related to execution of verclsid.exe with command line input containing 'verclsid.exe /S /C'.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.

ID	DS0009	Data source and component	Process: Process Creation	Description	Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.

ID	Data source and component	Description
DS0017	Command: Command Execution	Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.
DS0009	Process: Process Creation	Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.

Mitigation

ID	M1037	Name	Filter Network Traffic	Description	Consider modifying host firewall rules to prevent egress traffic from verclsid.exe.

ID	M1042	Name	Disable or Remove Feature or Program	Description	Consider removing verclsid.exe if it is not necessary within a given environment.

ID	M1038	Name	Execution Prevention	Description	Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

ID	Name	Description
M1037	Filter Network Traffic	Consider modifying host firewall rules to prevent egress traffic from verclsid.exe.
M1042	Disable or Remove Feature or Program	Consider removing verclsid.exe if it is not necessary within a given environment.
M1038	Execution Prevention	Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries.