Verclsid

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and responsible for verifying each shell extension before that are used by Windows Explorer or the Windows Shell.

Adversaries may abuse verclisd.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {{CLSID}}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.

Example

References:

ReaCOM/Verclsid.md at master · homjxi0e/ReaCOMGitHub

COM Hijacking Launch ingress SCT Using xwizard.exe invoke-CLSID COM

Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniquesbohops

PreviousRundll32 NextT1055: Process Injection

Last updated 3 years ago