Verclsid.exe Runs COM Object

 1title: Verclsid.exe Runs COM Object
 2id: d06be4b9-8045-428b-a567-740a26d9db25
 3status: test
 4description: Detects when verclsid.exe is used to run COM object via GUID
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
 7    - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
 8    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 9author: Victor Sergeev, oscd.community
10date: 2020-10-09
11modified: 2022-07-11
12tags:
13    - attack.defense-evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\verclsid.exe'
21        - OriginalFileName: 'verclsid.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - '/S'
25            - '/C'
26    condition: all of selection_*
27fields:
28    - CommandLine
29falsepositives:
30    - Unknown
31level: medium

References

• Verclsid on LOLBAS

  

  Verclsid.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• xwizard_sct

  

  xwizard_sct. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques

  

  TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence.  A few examples include CLSID (sub)key abandonment referencing, key …

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE