Detects abuse of verclsid.exe to execute COM objects by monitoring process creation, CLSID arguments, DLLs or scriptlet engines loaded into memory, and If the CLSID points to remote SCT/HTA content, verclsid.exe makes outbound connections.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| AllowedCLSIDs | Baseline CLSIDs frequently invoked by verclsid.exe in normal shell extension verification. |
| ParentProcessFilter | Unusual parents (e.g., winword.exe, excel.exe) spawning verclsid.exe should be treated as suspicious. |
| TimeWindow | Correlation window between verclsid.exe start, module load, and network activity. |
| ExternalIPRange | Restrict detection to external IPs not in approved ranges to cut noise. |