Detection rules › Splunk
Windows Visual Basic Commandline Compiler DNSQuery
The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071.004 Application Layer Protocol: DNS |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search EventCode=22 process_name="vbc.exe"
Stage 2: rename
rename
Stage 3: stats
stats BY answer, answer_count, dest, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
process_name | eq |
|