ATT&CK coverage › Technique

Command and Scripting Interpreter: Visual Basic `T1059.005`

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

Events covered

17 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	7	Image loaded
Sysmon	8	CreateRemoteThread
Sysmon	11	FileCreate
Sysmon	12	RegistryEvent (Object create and delete)
Sysmon	13	RegistryEvent (Value Set)
Sysmon	14	RegistryEvent (Key and Value Rename)
Sysmon	19	WmiEvent (WmiEventFilter activity detected)
Sysmon	20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	21	WmiEvent (WmiEventConsumerToFilter activity detected)
Sysmon	22	DNSEvent (DNS query)
Security-Auditing	4688	A new process has been created.
AppLocker	8004	FilePathBuffer was prevented from running.
AppLocker	8007	FilePathBuffer was prevented from running.
AppLocker	8022	PackageBuffer was prevented from running.
AppLocker	8025	PackageBuffer was prevented from running.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 26 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	20	`ends_with` 16, `match` 3, `in` 1, `ne` 1	`\cscript.exe`, `\wscript.exe`, `\wmic.exe`, `\mshta.exe`, `\csc.exe`
`CommandLine`	10	`match` 10	`\AppData\Local\Temp\`, `gatherNetworkInfo.vbs`, `.dat`, `.doc`, `.gif`
`OriginalFileName`	7	`eq` 7	`wscript.exe`, `cscript.exe`, `wmic.exe`, `csc.exe`, `Cmd.Exe`
`ParentImage`	5	`ends_with` 5, `starts_with` 1, `eq` 1	`\bginfo64.exe`, `\bginfo.exe`, `\excel.exe`, `\onenote.exe`, `C:\Windows\System32\sdiagnhost.exe`
`TargetFilename`	4	`match` 2, `ends_with` 1, `starts_with` 1, `eq` 1	`.vbs`, `.exe`, `\Retrive`, `\Temp\_MEI`, `\nxc\data\`
`ParentCommandLine`	2	`match` 2, `regex_match` 1	`FromBase64String`, `\Contacts\`, `:\Windows\Temp\`, `\splash.hta`, `C:\MEM_Configmgr_`
`Hashes`	2	`match` 2	`IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00`, `IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E`, `IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206`
`QueryName`	2	`in` 1, `eq` 1	`"discord"`, `"t.me"`, `"pastebin"`
`EventID`	2	`eq` 2	`22`
`TargetImage`	1	`match` 1	`\SysWOW64\`
`StartModule`	1	`is_null` 1
`ImageLoaded`	1	`ends_with` 1	`\jscript.dll`, `\vbscript.dll`, `\jscript9.dll`
`ScriptBlockText`	1	`match` 1	`CreateObject`, `Wscript.shell`, `.RegWrite`
`TargetObject`	1	`match` 1	`SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\`, `Software\Microsoft\Windows\CurrentVersion\Internet Settings\`, `Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\`
`CurrentDirectory`	1	`match` 1	`\ccmcache\`

Top indicator values (200 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`Image`	`ends_with`	`\cscript.exe`	8	64
`Image`	`ends_with`	`\wscript.exe`	8	64
`Image`	`ends_with`	`\cmd.exe`	3	92
`Image`	`ends_with`	`\wmic.exe`	3	37
`Image`	`ends_with`	`\mshta.exe`	3	57
`ParentImage`	`ends_with`	`\wscript.exe`	2	14
`ParentImage`	`ends_with`	`\mshta.exe`	2	10
`ParentImage`	`ends_with`	`\powershell.exe`	2	16
`ParentImage`	`ends_with`	`\pwsh.exe`	2	16
`ParentImage`	`ends_with`	`\cscript.exe`	2	14
`OriginalFileName`	`eq`	`cscript.exe`	2	15
`OriginalFileName`	`eq`	`wscript.exe`	2	15
`Image`	`ends_with`	`\pwsh.exe`	2	140
`Image`	`ends_with`	`\powershell.exe`	2	143
`Image`	`ends_with`	`\schtasks.exe`	2	45
`CommandLine`	`match`	`\AppData\Local\Temp\`	2	16
`CommandLine`	`match`	`gatherNetworkInfo.vbs`	2	2
`Hashes`	`match`	`IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206`	2	2
`Hashes`	`match`	`IMPHASH=B12619881D79C3ACADF45E752A58554A`	2	2
`Hashes`	`match`	`IMPHASH=37777A96245A3C74EB217308F3546F4C`	2	2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 23 rules

Adwind RAT / JRAT File Artifact severity high, 1 event, 4 indicators, 0 exclusions
AppLocker Prevented Application or Script from Running severity medium, 4 events, 0 indicators, 0 exclusions
Csc.EXE Execution Form Potentially Suspicious Parent severity high, 1 event, 33 indicators, 0 exclusions
Cscript/Wscript Uncommon Script Extension Execution severity high, 1 event, 15 indicators, 0 exclusions
HackTool - CACTUSTORCH Remote Thread Creation severity high, 1 event, 6 indicators, 0 exclusions
HackTool - Koadic Execution severity high, 1 event, 5 indicators, 0 exclusions
HackTool - NetExec File Indicators severity high, 1 event, 3 indicators, 0 exclusions
HTML Help HH.EXE Suspicious Child Process severity high, 2 events, 16 indicators, 0 exclusions
MMC Loading Script Engines DLLs severity medium, 1 event, 4 indicators, 0 exclusions
Potential Dropper Script Execution Via WScript/CScript severity medium, 2 events, 13 indicators, 0 exclusions
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS severity medium, 1 event, 5 indicators, 0 exclusions
Potential Remote SquiblyTwo Technique Execution severity high, 1 event, 10 indicators, 0 exclusions
Registry Modification Attempt Via VBScript severity medium, 2 events, 3 indicators, 0 exclusions
Registry Modification Attempt Via VBScript - PowerShell severity medium, 1 event, 3 indicators, 0 exclusions
Registry Tampering by Potentially Suspicious Processes severity medium, 3 events, 7 indicators, 0 exclusions
Suspicious Child Process Of BgInfo.EXE severity high, 2 events, 16 indicators, 0 exclusions
Suspicious HH.EXE Execution severity high, 1 event, 8 indicators, 0 exclusions
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS severity high, 2 events, 3 indicators, 0 exclusions
Suspicious Scripting in a WMI Consumer severity high, 3 events, 11 indicators, 0 exclusions
Uncommon Child Process Of BgInfo.EXE severity medium, 2 events, 2 indicators, 0 exclusions
Windows Shell/Scripting Processes Spawning Suspicious Programs severity high, 1 event, 26 indicators, 0 exclusions
WScript or CScript Dropper - File severity high, 1 event, 9 indicators, 0 exclusions
XSL Script Execution Via WMIC.EXE severity medium, 1 event, 19 indicators, 0 exclusions

Splunk 3 rules

Suspicious Process DNS Query Known Abuse Web Services 1 event, 16 indicators, 0 exclusions
Suspicious Process With Discord DNS Query 1 event, 5 indicators, 0 exclusions
Windows Outlook Macro Created by Suspicious Process 1 event, 1 indicator, 0 exclusions

Command and Scripting Interpreter: Visual Basic T1059.005