Detect Visual Basic in Elastic Security
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.005 Visual Basic
- Canonical reference
- https://attack.mitre.org/techniques/T1059/005/
Elastic Detection Query
process where event.type == "start"
and process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe")
and (
process.args : ("*.vbs", "*.vbe", "*.wsf", "*.hta")
or process.command_line : (
"*CreateObject*", "*WScript.Shell*", "*Shell.Application*",
"*Scripting.FileSystemObject*", "*ADODB.Stream*",
"*MSXML2.XMLHTTP*", "*WinHttp.WinHttpRequest*",
"*Environ(*", "*Shell(*", "*CallByName*",
"*powershell*", "*cmd /c*", "*cmd.exe*",
"*RegWrite*", "*RegRead*", "*RegDelete*",
"*winmgmts*", "*Win32_Process*",
"*-decode*", "*certutil*", "*bitsadmin*"
)
)Detects execution of wscript.exe, cscript.exe, or mshta.exe with suspicious VB/VBScript patterns indicating shell execution, network downloads, WMI abuse, or encoded payload delivery consistent with MITRE ATT&CK T1059.005.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise automation using VBScript for software deployment or IT management tasks (e.g., SCCM/MECM scripts, logon scripts)
- Administrative tools invoking mshta.exe for internal HTML application dashboards or legacy admin portals
- Software installers that use cscript.exe or wscript.exe as part of a legitimate MSI or setup sequence
Other platforms for T1059.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VBScript Execution via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.
- Test 2MSHTA Inline VBScript Execution
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.
- Test 3VBScript Network Download via XMLHTTP
Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.
References (5)
- https://attack.mitre.org/techniques/T1059/005/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.