Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
Sigma rule (View on GitHub)
1title: Verclsid.exe Runs COM Object
2id: d06be4b9-8045-428b-a567-740a26d9db25
3status: test
4description: Detects when verclsid.exe is used to run COM object via GUID
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
7 - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
8 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
9author: Victor Sergeev, oscd.community
10date: 2020/10/09
11modified: 2022/07/11
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\verclsid.exe'
21 - OriginalFileName: 'verclsid.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - '/S'
25 - '/C'
26 condition: all of selection_*
27fields:
28 - CommandLine
29falsepositives:
30 - Unknown
31level: medium
References
-
Used to verify a COM object before it is instantiated by Windows Explorer verclsid.exe /S /C {CLSID} Use caseRun a com object created in registry to evade defensive counter measures Privileges requ...
Read More -
-
TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence. A few examples include CLSID (sub)key abandonment referencing, key …
Read More
Related rules
- DLL Execution via Rasautou.exe
- Indirect Command Execution By Program Compatibility Wizard
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Time Travel Debugging Utility Usage
- Bypass UAC via CMSTP