T1059.005: Visual Basic
| View on MITRE ATT&CK | T1059.005 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).(Citation: Default VBS macros Blocking )
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Cscript/Wscript Uncommon Script Extension Execution
HackTool - CACTUSTORCH Remote Thread Creation
Csc.EXE Execution Form Potentially Suspicious Parent
Suspicious Child Process Of BgInfo.EXE
Windows Shell/Scripting Processes Spawning Suspicious Programs
WScript or CScript Dropper - File
Uncommon Child Process Of BgInfo.EXE
Suspicious HH.EXE Execution
Potential Dropper Script Execution Via WScript/CScript
HackTool - Koadic Execution
HTML Help HH.EXE Suspicious Child Process
Adwind RAT / JRAT File Artifact
Potential SquiblyTwo Technique Execution
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Suspicious Scripting in a WMI Consumer
File Was Not Allowed To Run
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.