T1059.005 Visual Basic Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "CreateObject", "WScript.Shell", "Shell.Application",
  "Scripting.FileSystemObject", "ADODB.Stream",
  "MSXML2.XMLHTTP", "WinHttp.WinHttpRequest",
  "Environ(", "Shell(", "CallByName",
  "powershell", "cmd /c", "cmd.exe",
  "RegWrite", "RegRead", "RegDelete",
  "GetObject(\"winmgmts", "Win32_Process",
  "-decode", "certutil", "bitsadmin"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousPatterns) or ProcessCommandLine has_any (".vbs", ".vbe", ".wsf", ".hta")
| extend IsHTA = FileName =~ "mshta.exe" or ProcessCommandLine has ".hta"
| extend IsVBS = ProcessCommandLine has_any (".vbs", ".vbe")
| extend ShellExec = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "powershell", "cmd /c")
| extend NetworkDownload = ProcessCommandLine has_any ("MSXML2.XMLHTTP", "WinHttp", "ADODB.Stream")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsHTA, IsVBS, ShellExec, NetworkDownload
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT administration scripts using VBScript for system configuration and inventory
Login scripts deployed via Group Policy that use VBS for drive mapping and printer assignment
Legacy business applications that depend on VBScript or HTA interfaces
Microsoft Office macros used for approved business automation (finance, HR processes)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe")
| eval CommandLine=lower(CommandLine)
| eval IsHTA=if(match(Image, "mshta\.exe$") OR match(CommandLine, "\.hta"), 1, 0)
| eval IsVBS=if(match(CommandLine, "\.(vbs|vbe)($|\s|\")"), 1, 0)
| eval ShellExec=if(match(CommandLine, "(wscript\.shell|shell\.application|powershell|cmd\s+/c)"), 1, 0)
| eval NetworkDownload=if(match(CommandLine, "(msxml2\.xmlhttp|winhttp|adodb\.stream)"), 1, 0)
| eval WMIExec=if(match(CommandLine, "(winmgmts|win32_process)"), 1, 0)
| eval SuspicionScore=IsHTA + ShellExec*2 + NetworkDownload*2 + WMIExec*2
| where SuspicionScore > 0 OR IsVBS=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsHTA, IsVBS, ShellExec, NetworkDownload, WMIExec, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT administration scripts using VBScript for system configuration and inventory
Login scripts deployed via Group Policy that use VBS for drive mapping and printer assignment
Legacy business applications that depend on VBScript or HTA interfaces
Microsoft Office macros used for approved business automation

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe")
  and (
    process.args : ("*.vbs", "*.vbe", "*.wsf", "*.hta")
    or process.command_line : (
      "*CreateObject*", "*WScript.Shell*", "*Shell.Application*",
      "*Scripting.FileSystemObject*", "*ADODB.Stream*",
      "*MSXML2.XMLHTTP*", "*WinHttp.WinHttpRequest*",
      "*Environ(*", "*Shell(*", "*CallByName*",
      "*powershell*", "*cmd /c*", "*cmd.exe*",
      "*RegWrite*", "*RegRead*", "*RegDelete*",
      "*winmgmts*", "*Win32_Process*",
      "*-decode*", "*certutil*", "*bitsadmin*"
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (winlogbeat-*) Filebeat with Sysmon module

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate enterprise automation using VBScript for software deployment or IT management tasks (e.g., SCCM/MECM scripts, logon scripts)
Administrative tools invoking mshta.exe for internal HTML application dashboards or legacy admin portals
Software installers that use cscript.exe or wscript.exe as part of a legitimate MSI or setup sequence

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "ImageFileName",
  "CommandLine",
  "ParentImage",
  CASE
    WHEN LOWER("ImageFileName") LIKE '%mshta.exe' OR LOWER("CommandLine") LIKE '%.hta%' THEN 1
    ELSE 0
  END AS is_hta,
  CASE
    WHEN LOWER("CommandLine") LIKE '%.vbs%' OR LOWER("CommandLine") LIKE '%.vbe%' THEN 1
    ELSE 0
  END AS is_vbs,
  CASE
    WHEN LOWER("CommandLine") LIKE '%wscript.shell%'
      OR LOWER("CommandLine") LIKE '%shell.application%'
      OR LOWER("CommandLine") LIKE '%powershell%'
      OR LOWER("CommandLine") LIKE '%cmd /c%' THEN 2
    ELSE 0
  END AS shell_score,
  CASE
    WHEN LOWER("CommandLine") LIKE '%msxml2.xmlhttp%'
      OR LOWER("CommandLine") LIKE '%winhttp%'
      OR LOWER("CommandLine") LIKE '%adodb.stream%' THEN 2
    ELSE 0
  END AS net_score,
  CASE
    WHEN LOWER("CommandLine") LIKE '%winmgmts%'
      OR LOWER("CommandLine") LIKE '%win32_process%' THEN 2
    ELSE 0
  END AS wmi_score
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("ImageFileName") LIKE '%\\wscript.exe'
    OR LOWER("ImageFileName") LIKE '%\\cscript.exe'
    OR LOWER("ImageFileName") LIKE '%\\mshta.exe'
  )
  AND LAST 24 HOURS
HAVING (is_hta + is_vbs + shell_score + net_score + wmi_score) > 0
ORDER BY event_time DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688) Sysmon Operational Log (EventID 1) QRadar DSM for Windows

Required Tables

events

False Positives

Enterprise patch management or software distribution systems (e.g., PDQ Deploy, Altiris) that invoke wscript.exe or cscript.exe for deployment scripts
Legacy web application portals using mshta.exe to render internal HTML Applications for IT operations
Antivirus or EDR products running VBScript-based cleanup or remediation tasks post-quarantine

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventID = "1" or EventCode = "1"
| parse field=Image "*\\*" as image_path, image_name nodrop
| parse field=CommandLine "*" as cmd nodrop
| where image_name in ("wscript.exe", "cscript.exe", "mshta.exe") or
  Image matches "*\\wscript.exe" or Image matches "*\\cscript.exe" or Image matches "*\\mshta.exe"
| eval cmd_lower = toLowerCase(CommandLine)
| eval is_hta = if(image_name = "mshta.exe" or contains(cmd_lower, ".hta"), 1, 0)
| eval is_vbs = if(contains(cmd_lower, ".vbs") or contains(cmd_lower, ".vbe"), 1, 0)
| eval shell_exec = if(
    contains(cmd_lower, "wscript.shell") or
    contains(cmd_lower, "shell.application") or
    contains(cmd_lower, "powershell") or
    contains(cmd_lower, "cmd /c"), 2, 0)
| eval net_download = if(
    contains(cmd_lower, "msxml2.xmlhttp") or
    contains(cmd_lower, "winhttp") or
    contains(cmd_lower, "adodb.stream"), 2, 0)
| eval wmi_exec = if(
    contains(cmd_lower, "winmgmts") or
    contains(cmd_lower, "win32_process"), 2, 0)
| eval encode_exec = if(
    contains(cmd_lower, "-decode") or
    contains(cmd_lower, "certutil") or
    contains(cmd_lower, "bitsadmin"), 2, 0)
| eval suspicion_score = is_hta + is_vbs + shell_exec + net_download + wmi_exec + encode_exec
| where suspicion_score > 0
| fields _messagetime, Computer, User, image_name, CommandLine, ParentImage, ParentCommandLine, is_hta, is_vbs, shell_exec, net_download, wmi_exec, suspicion_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Windows Sysmon (EventID 1 - Process Create) Windows Security Event Log (EventID 4688) Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*

False Positives

IT automation frameworks (Ansible Windows WinRM, PowerShell DSC) that use cscript or wscript as part of configuration management tasks
SAP GUI scripting or other enterprise ERP applications that embed VBScript macros executed via wscript.exe
Security tools or EDR agents that use mshta.exe to render local HTML-based UI components or health dashboards

Google Chronicle / SecOps

yaral

rule t1059_005_vbscript_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious execution of wscript.exe, cscript.exe, or mshta.exe with VBScript/HTA indicators consistent with MITRE ATT&CK T1059.005 - Visual Basic"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.005"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(\\wscript\.exe|\\cscript\.exe|\\mshta\.exe)$/
    (
      re.regex($e.target.process.command_line, `(?i)(\.(vbs|vbe|wsf|hta))`)
      or re.regex($e.target.process.command_line, `(?i)(createobject|wscript\.shell|shell\.application|scripting\.filesystemobject)`)
      or re.regex($e.target.process.command_line, `(?i)(adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest)`)
      or re.regex($e.target.process.command_line, `(?i)(winmgmts|win32_process|getobject)`)
      or re.regex($e.target.process.command_line, `(?i)(powershell|cmd\s+/c|cmd\.exe)`)
      or re.regex($e.target.process.command_line, `(?i)(\-decode|certutil|bitsadmin)`)
      or re.regex($e.target.process.command_line, `(?i)(regwrite|regread|regdelete|environ\(|callbyname)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows endpoint telemetry forwarded via Chronicle forwarder Sysmon logs normalized to UDM PROCESS_LAUNCH events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Legitimate enterprise build pipelines or CI/CD systems that invoke VBScript-based test harnesses or build steps via wscript.exe
Active Directory Group Policy scripts executed at logon/logoff via wscript.exe targeting network shares
Third-party monitoring agents (e.g., SolarWinds, Nagios) that use VBScript-based health check scripts to query WMI metrics

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\wscript\.exe|\\cscript\.exe|\\mshta\.exe)$/
| CommandLine = /(?i)(\.(vbs|vbe|wsf|hta)|createobject|wscript\.shell|shell\.application|scripting\.filesystemobject|adodb\.stream|msxml2\.xmlhttp|winhttp|winmgmts|win32_process|powershell|cmd\s+\/c|\-decode|certutil|bitsadmin|regwrite|regread|callbyname|environ\()/
| eval is_hta := if(ImageFileName =~ /(?i)mshta\.exe/ OR CommandLine =~ /(?i)\.hta/, 1, 0)
| eval is_vbs := if(CommandLine =~ /(?i)\.(vbs|vbe)/, 1, 0)
| eval shell_exec := if(CommandLine =~ /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 2, 0)
| eval net_download := if(CommandLine =~ /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream)/, 2, 0)
| eval wmi_exec := if(CommandLine =~ /(?i)(winmgmts|win32_process)/, 2, 0)
| eval encode_exec := if(CommandLine =~ /(?i)(\-decode|certutil|bitsadmin)/, 2, 0)
| eval suspicion_score := is_hta + is_vbs + shell_exec + net_download + wmi_exec + encode_exec
| where suspicion_score > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, is_hta, is_vbs, shell_exec, net_download, wmi_exec, suspicion_score])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon Data Replicator (FDR) process telemetry Falcon SIEM Connector feeding LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor updates or remediation scripts that internally invoke wscript.exe for compatibility shim operations
Enterprise software packaging tools (e.g., Flexera AdminStudio, InstallShield) that use cscript.exe to execute custom action scripts during installation
Microsoft System Center Operations Manager (SCOM) or other monitoring agents that use VBScript-based discovery and health monitoring scripts querying WMI

Visual Basic

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections