Disable and Monitor Verclsid.exe System Binary (CM0007)

In Playbook

Details

  • ID: CM0007
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Disable, Examine
  • Status: Active

Intended Outcome

Disabling and monitoring the Verclsid.exe system binary blocks or detects adversary defense evasion using proxy execution of code.

Introduction

Verclsid.exe is known as the Extension CLSID Verification Host and can be used to verify each shell extension before use by Windows Explorer or the Windows Shell (faulty shell extensions that can cause crashes when used with explorer.exe). However, the tool can be abused to execute malicious component object model (COM) objects.

Preparation

  • Identify a baseline of behavior for Verclsid.exe.
  • Determine necessity of permitting Verclsid.exe in the environment.

Risks

  • This countermeasure can break legitimate functionality.
  • Removing Verclsid.exe may result in backward compatibility issues.

Guidance

Monitor

Configure the host-based agent to monitor for:
  • Process execution
  • Command-line parameter inspection
  • Process lineage monitoring
To gain insight into attempts at binary masquerading, consider collecting process metadata Adversaries have been observed renaming binaries to evade brittle detections.
  • Monitor for network calls from the verclsid.exe binary.

Block

  • Update the Windows Firewall or host-based agent to block network connections from the verclsid.exe binaries

%SystemRoot%\system32\verclsid.exe

%SystemRoot%\syswow64\verclsid.exe

References

  • ID: CM0007
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Disable, Examine