T1059.005: Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications. VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-2664: Outlook_VBA_Addin_Load: The Outlook process loaded library "Microsoft VBA for Outlook Addin" (OUTLVBA.DLL). This may indicate the use of VBA macros to execute arbitrary code. mitre_attck_execution: PT-CR-605: Office_File_With_Macros: A user opened a Microsoft Office document with a macro mitre_attck_execution: PT-CR-1089: DotNetToJScript_Usage: Possible usage of the DotNetToJscript utility is detected mitre_attck_execution: PT-CR-339: Script_Files_Execution: A user attempted to run a script hacking_tools: PT-CR-373: SharpWMI_Usage: Possible use of the SharpWMI software is detected

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor for the loading of modules associated with VB languages (ex: vbscript.dll).

Note: For Windows, Sysmon Event ID 7 (Image loaded) can be used to alert on the loading of DLL modules (e.g., vbscript.dll) associated with Visual Basic into processes. Due to the high frequency of image load operations, Event ID 7 can generate a large volume of events. Therefore, we recommend tuning the Sysmon configuration file to exclude common, benign image loads that may result in false positives.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: Be aware of VBScript execution from temporary or unusual file locations, which may indicate malicious activity.

Analytic 1 - Script Execution from Temporary Locations

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4103") | WHERE CommandLine LIKE "AppData.vbs" OR CommandLine LIKE "AppData.vbe*" OR CommandLine LIKE "AppData.vba*"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Mitigation

IDM1021NameRestrict Web-Based ContentDescription

Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

IDM1038NameExecution PreventionDescription

Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content .

IDM1042NameDisable or Remove Feature or ProgramDescription

Turn off or restrict access to unneeded VB components.

IDM1049NameAntivirus/AntimalwareDescription

Anti-virus can be used to automatically quarantine suspicious files.