T1218.012 Verclsid Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "verclsid.exe"
| extend HasCLSID = ProcessCommandLine matches regex @"\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| extend ForcedExec = ProcessCommandLine has_any ("/s", "/c")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, HasCLSID, SuspiciousParent, ForcedExec
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "verclsid.exe"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Windows Explorer and shell initialization processes that invoke verclsid.exe to verify registered shell extensions during startup
Software that registers COM shell extensions and triggers their verification via verclsid.exe during installation
Security software that uses verclsid.exe as part of COM extension auditing or verification workflows
System administrators manually verifying COM shell extension CLSIDs for troubleshooting purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\verclsid.exe" OR ParentImage="*\\verclsid.exe")
| eval HasCLSID=if(match(CommandLine, "\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval ForcedExec=if(match(CommandLine, "(/s|/c)"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\verclsid.exe" AND match(Image, "(cmd|powershell|wscript|cscript)\.exe"), 1, 0)
| eval RiskScore=HasCLSID + SuspiciousParent + ForcedExec + SuspiciousChild
| where RiskScore > 1 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasCLSID, SuspiciousParent, ForcedExec, SuspiciousChild, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Windows Explorer and shell initialization processes that invoke verclsid.exe to verify shell extensions
Software that registers COM shell extensions during installation
Security software using verclsid.exe for COM extension auditing
Administrators manually verifying CLSID registrations

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (process.name : "verclsid.exe" or process.parent.name : "verclsid.exe") and
   (
     process.args : ("{????????-????-????-????-????????????}") or
     process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe") or
     process.args : ("/s", "/c")
   )
  ] by process.entity_id
  [process where event.type == "start" and
   process.parent.name : "verclsid.exe" and
   process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  ] by process.parent.entity_id

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (Windows)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate shell extension verification by Windows Explorer during normal COM registration or shell integration testing by software installers
Security scanning tools or shell extension validators that invoke verclsid.exe programmatically with CLSID parameters during audits
Software deployment tools that register COM objects and use verclsid.exe to verify them as part of installation scripts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  sourceip,
  "CommandLine" AS command_line,
  "ParentCommandLine" AS parent_command_line,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE WHEN LOWER("CommandLine") MATCHES REGEX '\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}' THEN 1 ELSE 0 END AS has_clsid,
  CASE WHEN LOWER("ParentImage") MATCHES REGEX '(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$' THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN LOWER("CommandLine") MATCHES REGEX '(/s|/c)' THEN 1 ELSE 0 END AS forced_exec,
  CASE WHEN LOWER("ParentImage") LIKE '%verclsid.exe' AND LOWER("Image") MATCHES REGEX '(cmd|powershell|wscript|cscript)\.exe$' THEN 1 ELSE 0 END AS suspicious_child
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 396)
  AND (LOWER("Image") LIKE '%\\verclsid.exe' OR LOWER("ParentImage") LIKE '%\\verclsid.exe')
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (CASE WHEN LOWER("CommandLine") MATCHES REGEX '\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}' THEN 1 ELSE 0 END +
     CASE WHEN LOWER("ParentImage") MATCHES REGEX '(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$' THEN 1 ELSE 0 END +
     CASE WHEN LOWER("CommandLine") MATCHES REGEX '(/s|/c)' THEN 1 ELSE 0 END) > 1
    OR LOWER("ParentImage") LIKE '%verclsid.exe'
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (via QRadar DSM) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Windows Explorer performing routine shell extension validation for newly installed software with COM components
Enterprise software packaging tools (e.g., MSI installers, ConfigMgr) that register and verify COM objects as part of managed deployments
Security products conducting COM object integrity checks that spawn verclsid.exe via automation scripts

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* EventCode=1
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<ParentCommandLine>*</ParentCommandLine>" as parent_command_line nodrop
| parse "<User>*</User>" as user nodrop
| parse "<Computer>*</Computer>" as host nodrop
| where toLowerCase(process_image) matches "*\\verclsid.exe" or toLowerCase(parent_image) matches "*\\verclsid.exe"
| eval has_clsid = if(process_image matches "*\\verclsid.exe" and matches(command_line, "\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"), 1, 0)
| eval suspicious_parent = if(matches(toLowerCase(parent_image), "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval forced_exec = if(matches(command_line, "(/s|/c)"), 1, 0)
| eval suspicious_child = if(toLowerCase(parent_image) matches "*\\verclsid.exe" and matches(toLowerCase(process_image), "(cmd|powershell|wscript|cscript)\.exe"), 1, 0)
| eval risk_score = has_clsid + suspicious_parent + forced_exec + suspicious_child
| where risk_score > 1 or suspicious_child = 1
| fields _messageTime, host, user, process_image, command_line, parent_image, parent_command_line, has_clsid, suspicious_parent, forced_exec, suspicious_child, risk_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows (EventCode 1) Windows Event Log forwarding

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

Automated software testing frameworks that exercise COM shell extensions and invoke verclsid.exe with specific CLSIDs as part of regression testing
IT administration scripts (PowerShell or batch) that perform COM class registration verification as part of environment health checks
Shell extension testing utilities used by developers to validate COM object behavior in Windows Explorer

Google Chronicle / SecOps

yaral

rule verclsid_proxy_execution_t1218_012 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects verclsid.exe abuse for COM proxy execution (T1218.012). Looks for verclsid launched from suspicious parents with CLSID args, or spawning suspicious child processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.012"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Pattern 1: verclsid.exe launched with CLSID from suspicious parent
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)\\verclsid\.exe$`)
      and (
        re.regex($e.target.process.command_line, `\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}`)
        or re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$`)
        or re.regex($e.target.process.command_line, `(?i)(/s|/c)`)
      )
    )
    or
    (
      // Pattern 2: suspicious child process spawned by verclsid.exe
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.principal.process.file.full_path, `(?i)\\verclsid\.exe$`)
      and re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Events Windows Endpoint Sensor (via Chronicle forwarder) Sysmon forwarded to Chronicle

Required Tables

UDM PROCESS_LAUNCH events

False Positives

System administrators running shell extension validation scripts via PowerShell that call verclsid.exe with known-good CLSIDs during system maintenance
Software installers or setup programs that spawn verclsid.exe as part of COM object registration verification workflows on managed endpoints
Automated build or QA pipelines on developer workstations that test COM interop scenarios using verclsid.exe

CrowdStrike LogScale (CQL)

cql

// Detect verclsid.exe proxy execution abuse - T1218.012
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)\\verclsid\.exe$/ OR ParentBaseFileName = /(?i)verclsid\.exe$/
| eval HasCLSID = if(match(CommandLine, /\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}/), 1, 0)
| eval SuspiciousParent = if(match(ParentBaseFileName, /(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$/), 1, 0)
| eval ForcedExec = if(match(CommandLine, /(?i)(\x2Fs|\x2Fc)/), 1, 0)
| eval SuspiciousChild = if(match(ParentBaseFileName, /(?i)verclsid\.exe$/) and match(ImageFileName, /(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$/), 1, 0)
| eval RiskScore = HasCLSID + SuspiciousParent + ForcedExec + SuspiciousChild
| where RiskScore > 1 or SuspiciousChild = 1
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, HasCLSID, SuspiciousParent, ForcedExec, SuspiciousChild, RiskScore
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor ProcessRollup2 telemetry

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

Legitimate COM shell extension registration and verification processes triggered by enterprise software deployment tools such as SCCM or Intune during software pushes
Security vendor products that enumerate and validate COM objects using verclsid.exe as part of host-based integrity checking routines
Developer workstations running automated COM interop tests or Visual Studio debugging sessions that invoke verclsid.exe to test custom shell extensions

Verclsid

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections