LOLBAS/yml/OSBinaries/Verclsid.yml
bohops 23dd0236ae
Detection Resources and Other Updates (#179)
* Add detection links for scripts

* Add detection links for OtherMSBins. Fixed and updated as needed.

* Add detection links for MSBins. Fixed and updated as needed.

* Add detection links for oslibraries

* Updating template for Detections

* Removing empty Detection:Sigma entries

* Remove redundant blank line

* Replacing commit URL with file URL

Co-authored-by: root <root@DESKTOP-5CR935D.localdomain>
Co-authored-by: Wietze <wietze@users.noreply.github.com>
2021-11-15 08:19:03 -05:00

29 lines
1.1 KiB
YAML

---
Name: Verclsid.exe
Description:
Author: '@bohops'
Created: 2018-12-04
Commands:
- Command: verclsid.exe /S /C {CLSID}
Description: Used to verify a COM object before it is instantiated by Windows Explorer
Usecase: Run a com object created in registry to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.012
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_verclsid_runs_com.yml
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml
Resources:
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
---