Description
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)
Platforms
Mitigations (3)
Execution PreventionM1038
Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Filter Network TrafficM1037
Consider modifying host firewall rules to prevent egress traffic from verclsid.exe.
Disable or Remove Feature or ProgramM1042
Consider removing verclsid.exe if it is not necessary within a given environment.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0499 | Hancitor | Malware | [Hancitor](https://attack.mitre.org/software/S0499) has used verclsid.exe to download and execute a malicious script.(Citation: Red Canary Verclsid.ex... |
References
- BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.
- Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.
- LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.
- Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.
- verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved November 17, 2024.
Frequently Asked Questions
What is T1218.012 (Verclsid)?
T1218.012 is a MITRE ATT&CK technique named 'Verclsid'. It belongs to the Stealth tactic(s). Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before the...
How can T1218.012 be detected?
Detection of T1218.012 (Verclsid) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.012?
There are 3 documented mitigations for T1218.012. Key mitigations include: Execution Prevention, Filter Network Traffic, Disable or Remove Feature or Program.
Which threat groups use T1218.012?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.