DET0042 Detection Strategy for T1218.012 Verclsid Abuse

Item	Value
ID	DET0042
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.012 (Verclsid)

Analytics

Windows

AN0118

Detects abuse of verclsid.exe to execute COM objects by monitoring process creation, CLSID arguments, DLLs or scriptlet engines loaded into memory, and If the CLSID points to remote SCT/HTA content, verclsid.exe makes outbound connections.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
AllowedCLSIDs	Baseline CLSIDs frequently invoked by verclsid.exe in normal shell extension verification.
ParentProcessFilter	Unusual parents (e.g., winword.exe, excel.exe) spawning verclsid.exe should be treated as suspicious.
TimeWindow	Correlation window between verclsid.exe start, module load, and network activity.
ExternalIPRange	Restrict detection to external IPs not in approved ranges to cut noise.