AN0118: Analytic 0118
Detects abuse of verclsid.exe to execute COM objects by monitoring process creation, CLSID arguments, DLLs or scriptlet engines loaded into memory, and If the CLSID points to remote SCT/HTA content, verclsid.exe makes outbound connections.
Analyst context for executives and security teams
This analytic matters because it focuses on suspicious use of a legitimate Windows component, verclsid.exe, to execute COM objects. For leaders, the practical issue is not the binary itself, but whether the organization can distinguish normal Windows activity from abuse that may involve unusual CLSID arguments, in-memory loading of DLLs or scriptlet engines, and outbound network connections when remote SCT or HTA content is referenced.
Executive priority
Prioritize this as a Windows detection validation item where endpoint visibility, egress monitoring, and incident response triage depend on understanding legitimate system-tool behavior. It is most useful for confirming whether SOC and IR teams can correlate process creation, command-line detail, module loading, and network activity into defensible evidence. Because no ATT&CK tactics or relationships were supplied, treat this as a focused detection-engineering control rather than a complete risk scenario by itself.
Technical view
Validate that Windows telemetry can capture verclsid.exe process creation, command-line or argument data containing CLSIDs, loaded DLLs, scriptlet-engine-related memory/module activity, and outbound connections from verclsid.exe when remote SCT or HTA content is involved. Detection logic should avoid alerting only on the presence of verclsid.exe and instead look for suspicious combinations of process arguments, unusual loaded components, and network behavior. Triage should establish whether the CLSID and any referenced content are expected in the local environment.
Likely telemetry
- Windows process creation events for verclsid.exe
- Command-line or process argument data, especially CLSID values
- Module or DLL load telemetry associated with verclsid.exe
- Evidence of scriptlet engine loading into memory
- Outbound network connection logs from verclsid.exe
Detection direction
- Confirm that endpoint logging captures full process arguments for verclsid.exe, not only process names.
- Correlate process creation with module/DLL load activity and outbound network connections to reduce false positives.
- Baseline legitimate verclsid.exe usage in the environment before treating all executions as suspicious.
- Review whether remote SCT or HTA references are visible in endpoint, proxy, DNS, or firewall telemetry.
- Account for blind spots where command-line logging, module-load logging, or endpoint network telemetry is absent or inconsistently retained.
Mitigation priorities
- Ensure Windows endpoint logging is configured to collect process creation, arguments, module-load, and network connection evidence needed for this analytic.
- Restrict and monitor unnecessary outbound connectivity from endpoints according to least-privilege network egress policy.
- Use application control or execution policy controls where appropriate to reduce abuse of unexpected script or COM-related execution paths.
- Document expected verclsid.exe behavior as compliance and incident-response evidence so analysts can distinguish approved activity from suspicious use.
- Test SOC playbooks for correlating host and network evidence when a trusted Windows binary exhibits unusual arguments or outbound activity.
Analyst notes and limits
The supplied object is a detection analytic for Windows and describes abuse of verclsid.exe involving COM object execution, CLSID arguments, DLL or scriptlet engine loading, and possible outbound connections for remote SCT or HTA content. No tactic, technique relationship, procedure example, or official detection logic was supplied, so local baselining and telemetry validation are essential.
This take is limited to the official STIX fields, external reference, and the provided description. It does not establish active exploitation, adversary attribution, prevalence, business impact, or guaranteed detection coverage. No relationship context was supplied, and ATT&CK tactics are not specified.
Analytic 0118
Detects abuse of verclsid.exe to execute COM objects by monitoring process creation, CLSID arguments, DLLs or scriptlet engines loaded into memory, and If the CLSID points to remote SCT/HTA content, verclsid.exe makes outbound connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a57f027c3643… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0118Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.