T1059.005 CrowdStrike LogScale · LogScale

Detect Visual Basic in CrowdStrike LogScale

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.005 Visual Basic
Canonical reference
https://attack.mitre.org/techniques/T1059/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\wscript\.exe|\\cscript\.exe|\\mshta\.exe)$/
| CommandLine = /(?i)(\.(vbs|vbe|wsf|hta)|createobject|wscript\.shell|shell\.application|scripting\.filesystemobject|adodb\.stream|msxml2\.xmlhttp|winhttp|winmgmts|win32_process|powershell|cmd\s+\/c|\-decode|certutil|bitsadmin|regwrite|regread|callbyname|environ\()/
| eval is_hta := if(ImageFileName =~ /(?i)mshta\.exe/ OR CommandLine =~ /(?i)\.hta/, 1, 0)
| eval is_vbs := if(CommandLine =~ /(?i)\.(vbs|vbe)/, 1, 0)
| eval shell_exec := if(CommandLine =~ /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 2, 0)
| eval net_download := if(CommandLine =~ /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream)/, 2, 0)
| eval wmi_exec := if(CommandLine =~ /(?i)(winmgmts|win32_process)/, 2, 0)
| eval encode_exec := if(CommandLine =~ /(?i)(\-decode|certutil|bitsadmin)/, 2, 0)
| eval suspicion_score := is_hta + is_vbs + shell_exec + net_download + wmi_exec + encode_exec
| where suspicion_score > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, is_hta, is_vbs, shell_exec, net_download, wmi_exec, suspicion_score])
| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) query using ProcessRollup2 events to detect suspicious execution of wscript.exe, cscript.exe, and mshta.exe with VBScript/HTA-related indicators. Applies suspicion scoring across shell execution, network download COM objects, WMI invocation, and encoded payload patterns to identify T1059.005 activity.

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events)Falcon Data Replicator (FDR) process telemetryFalcon SIEM Connector feeding LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor updates or remediation scripts that internally invoke wscript.exe for compatibility shim operations
  • Enterprise software packaging tools (e.g., Flexera AdminStudio, InstallShield) that use cscript.exe to execute custom action scripts during installation
  • Microsoft System Center Operations Manager (SCOM) or other monitoring agents that use VBScript-based discovery and health monitoring scripts querying WMI
Download portable Sigma rule (.yml)

Other platforms for T1059.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.

  3. Test 3VBScript Network Download via XMLHTTP

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.007JavaScriptT1566.001Spearphishing AttachmentT1218.005MshtaT1204.002Malicious FileT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections