T1218.012 Verclsid Mappings

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1218.012 Verclsid
AC-4 Information Flow Enforcement Protects T1218.012 Verclsid
CA-7 Continuous Monitoring Protects T1218.012 Verclsid
CM-2 Baseline Configuration Protects T1218.012 Verclsid
CM-6 Configuration Settings Protects T1218.012 Verclsid
CM-7 Least Functionality Protects T1218.012 Verclsid
CM-8 System Component Inventory Protects T1218.012 Verclsid
RA-5 Vulnerability Monitoring and Scanning Protects T1218.012 Verclsid
SC-7 Boundary Protection Protects T1218.012 Verclsid
SI-10 Information Input Validation Protects T1218.012 Verclsid
SI-15 Information Output Filtering Protects T1218.012 Verclsid
SI-4 System Monitoring Protects T1218.012 Verclsid
SI-7 Software, Firmware, and Information Integrity Protects T1218.012 Verclsid