T1059.005 Google Chronicle · YARA-L

Detect Visual Basic in Google Chronicle

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.005 Visual Basic
Canonical reference
https://attack.mitre.org/techniques/T1059/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1059_005_vbscript_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious execution of wscript.exe, cscript.exe, or mshta.exe with VBScript/HTA indicators consistent with MITRE ATT&CK T1059.005 - Visual Basic"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.005"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(\\wscript\.exe|\\cscript\.exe|\\mshta\.exe)$/
    (
      re.regex($e.target.process.command_line, `(?i)(\.(vbs|vbe|wsf|hta))`)
      or re.regex($e.target.process.command_line, `(?i)(createobject|wscript\.shell|shell\.application|scripting\.filesystemobject)`)
      or re.regex($e.target.process.command_line, `(?i)(adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest)`)
      or re.regex($e.target.process.command_line, `(?i)(winmgmts|win32_process|getobject)`)
      or re.regex($e.target.process.command_line, `(?i)(powershell|cmd\s+/c|cmd\.exe)`)
      or re.regex($e.target.process.command_line, `(?i)(\-decode|certutil|bitsadmin)`)
      or re.regex($e.target.process.command_line, `(?i)(regwrite|regread|regdelete|environ\(|callbyname)`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1059.005 Visual Basic execution by matching wscript.exe, cscript.exe, and mshta.exe process launches with suspicious command-line arguments including shell object creation, network download COM objects, WMI execution, registry manipulation, and encoded payload delivery chains.

Data Sources

Google Chronicle UDM (Unified Data Model)Windows endpoint telemetry forwarded via Chronicle forwarderSysmon logs normalized to UDM PROCESS_LAUNCH events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate enterprise build pipelines or CI/CD systems that invoke VBScript-based test harnesses or build steps via wscript.exe
  • Active Directory Group Policy scripts executed at logon/logoff via wscript.exe targeting network shares
  • Third-party monitoring agents (e.g., SolarWinds, Nagios) that use VBScript-based health check scripts to query WMI metrics
Download portable Sigma rule (.yml)

Other platforms for T1059.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.

  3. Test 3VBScript Network Download via XMLHTTP

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.007JavaScriptT1566.001Spearphishing AttachmentT1218.005MshtaT1204.002Malicious FileT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections