T1218.012 Verclsid
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.5
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.3214
| Item | Value |
|---|---|
| ID | T1218.012 |
| Sub-techniques | T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 2.0 |
| Created | 10 August 2020 |
| Last Modified | 20 May 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0499 | Hancitor | Hancitor has used verclsid.exe to download and execute a malicious script.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Consider removing verclsid.exe if it is not necessary within a given environment. |
| M1038 | Execution Prevention | Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| M1037 | Filter Network Traffic | Consider modifying host firewall rules to prevent egress traffic from verclsid.exe. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020. ↩
-
Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020. ↩↩
-
Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020. ↩
-
verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020. ↩