title: Verclsid (T1218.012)
id: df00tech-t1218-012
status: experimental
description: "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe (Extension CLSID Verification Host) is responsible for verifying each shell extension before it is used by Windows Explorer or the Windows Shell. Adversaries can register a malicious COM object under a CLSID and then invoke verclsid.exe with that CLSID to trigger execution. Since verclsid.exe is signed by Microsoft and performs legitimate COM verification activities, it can bypass application control solutions. Hancitor malware is a known user of this technique."
references:
  - https://attack.mitre.org/techniques/T1218/012/
  - https://df00tech.com/detections/T1218.012
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Windows Explorer and shell initialization processes that invoke verclsid.exe to verify registered shell extensions during startup
  - Software that registers COM shell extensions and triggers their verification via verclsid.exe during installation
  - Security software that uses verclsid.exe as part of COM extension auditing or verification workflows
  - System administrators manually verifying COM shell extension CLSIDs for troubleshooting purposes
level: high