Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
Sigma rule (View on GitHub)
1title: Verclsid.exe Runs COM Object
2id: d06be4b9-8045-428b-a567-740a26d9db25
3status: test
4description: Detects when verclsid.exe is used to run COM object via GUID
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
7 - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
8 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
9author: Victor Sergeev, oscd.community
10date: 2020-10-09
11modified: 2025-10-07
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\verclsid.exe'
21 - OriginalFileName: 'verclsid.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - '/S'
25 - '/C'
26 filter_main_runtimebroker:
27 ParentImage|endswith: 'C:\Windows\System32\RuntimeBroker.exe'
28 CommandLine|contains|all:
29 - 'verclsid.exe" /S /C {'
30 - '} /I {'
31 condition: all of selection_* and not 1 of filter_main_*
32fields:
33 - CommandLine
34falsepositives:
35 - Unknown
36level: medium
References
-
Verclsid.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
-
TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence. A few examples include CLSID (sub)key abandonment referencing, key …
Read More
Related rules
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Process Proxy Execution Via Squirrel.EXE
- Potentially Suspicious Child Processes Spawned by ConHost
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Curl Download And Execute Combination