Detect Verclsid in Microsoft Sentinel
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe (Extension CLSID Verification Host) is responsible for verifying each shell extension before it is used by Windows Explorer or the Windows Shell. Adversaries can register a malicious COM object under a CLSID and then invoke verclsid.exe with that CLSID to trigger execution. Since verclsid.exe is signed by Microsoft and performs legitimate COM verification activities, it can bypass application control solutions. Hancitor malware is a known user of this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.012 Verclsid
- Canonical reference
- https://attack.mitre.org/techniques/T1218/012/
KQL Detection Query
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "verclsid.exe"
| extend HasCLSID = ProcessCommandLine matches regex @"\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| extend ForcedExec = ProcessCommandLine has_any ("/s", "/c")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, HasCLSID, SuspiciousParent, ForcedExec
| sort by Timestamp desc
union (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "verclsid.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
)Detects verclsid.exe abuse by monitoring for execution with CLSID arguments, especially from suspicious parent processes. Also monitors for any child process spawning from verclsid.exe which should not occur during legitimate shell extension verification. The forced execution flags (/s, /c) combined with CLSID arguments are the core adversarial pattern.
Data Sources
Required Tables
False Positives & Tuning
- Windows Explorer and shell initialization processes that invoke verclsid.exe to verify registered shell extensions during startup
- Software that registers COM shell extensions and triggers their verification via verclsid.exe during installation
- Security software that uses verclsid.exe as part of COM extension auditing or verification workflows
- System administrators manually verifying COM shell extension CLSIDs for troubleshooting purposes
Other platforms for T1218.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verclsid Execution with CLSID Argument
Expected signal: Sysmon Event ID 1: verclsid.exe with /S /C and CLSID in command line. Security Event ID 4688. The process will attempt to load the COM object registered for this CLSID.
- Test 2Verclsid Launched from cmd.exe
Expected signal: Sysmon Event ID 1: cmd.exe then verclsid.exe with ParentImage=cmd.exe. HasCLSID, ForcedExec, and SuspiciousParent all fire.
- Test 3Malicious COM CLSID Registration for Verclsid Abuse
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Software\Classes\CLSID path with Temp DLL path as data. The COM registration hunting query captures this as a malicious InprocServer32 pointing to a temp directory.
References (5)
- https://attack.mitre.org/techniques/T1218/012/
- https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.012/T1218.012.md
- https://www.winosbit.com/articles/what-is-verclsid.exe
- https://www.proofpoint.com/us/threat-insight/post/hancitor-goes-dark
Unlock Pro Content
Get the full detection package for T1218.012 including response playbook, investigation guide, and atomic red team tests.