heroui logo

Verclsid CLSID Execution

Splunk Security Content

View Source
Summary
This detection rule identifies potential abuse of the legitimate Windows application verclsid.exe, which is primarily used for verifying CLSID COM objects. Cyber attackers may exploit this utility to execute malicious files indirectly by crafting specific command-line patterns that can yield system compromise. The rule leverages data sourced from Endpoint Detection and Response (EDR) agents, specifically monitoring Sysmon EventID 1 and Windows Event Log Security 4688 to identify suspicious activities. The search criteria focus on detecting processes initiated by verclsid.exe that exhibit certain command-line characteristics indicative of malicious intent, such as the use of braces and other specified operators that typically do not align with normal application behavior. This detection mechanism is critical in safeguarding systems as the misuse of verclsid.exe may signify attempts to execute arbitrary code, evading traditional security measures.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • File
  • Process
ATT&CK Techniques
  • T1218.012
  • T1218
Created: 2024-11-13