T1059.005: Visual Basic
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications. VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-2664: Outlook_VBA_Addin_Load: The Outlook process loaded library "Microsoft VBA for Outlook Addin" (OUTLVBA.DLL). This may indicate the use of VBA macros to execute arbitrary code. mitre_attck_execution: PT-CR-605: Office_File_With_Macros: A user opened a Microsoft Office document with a macro mitre_attck_execution: PT-CR-1089: DotNetToJScript_Usage: Possible usage of the DotNetToJscript utility is detected mitre_attck_execution: PT-CR-339: Script_Files_Execution: A user attempted to run a script hacking_tools: PT-CR-373: SharpWMI_Usage: Possible use of the SharpWMI software is detected
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor for the loading of modules associated with VB languages (ex: vbscript.dll). Note: For Windows, Sysmon Event ID 7 (Image loaded) can be used to alert on the loading of DLL modules (e.g., vbscript.dll) associated with Visual Basic into processes. Due to the high frequency of image load operations, Event ID 7 can generate a large volume of events. Therefore, we recommend tuning the Sysmon configuration file to exclude common, benign image loads that may result in false positives. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Note: Be aware of VBScript execution from temporary or unusual file locations, which may indicate malicious activity. Analytic 1 - Script Execution from Temporary Locations
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. |
---|
Mitigation
ID | M1021 | Name | Restrict Web-Based Content | Description | Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
---|
ID | M1038 | Name | Execution Prevention | Description | Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203. |
---|
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content . |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Turn off or restrict access to unneeded VB components. |
---|
ID | M1049 | Name | Antivirus/Antimalware | Description | Anti-virus can be used to automatically quarantine suspicious files. |
---|