T1059.005 IBM QRadar · QRadar

Detect Visual Basic in IBM QRadar

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.005 Visual Basic
Canonical reference
https://attack.mitre.org/techniques/T1059/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "ImageFileName",
  "CommandLine",
  "ParentImage",
  CASE
    WHEN LOWER("ImageFileName") LIKE '%mshta.exe' OR LOWER("CommandLine") LIKE '%.hta%' THEN 1
    ELSE 0
  END AS is_hta,
  CASE
    WHEN LOWER("CommandLine") LIKE '%.vbs%' OR LOWER("CommandLine") LIKE '%.vbe%' THEN 1
    ELSE 0
  END AS is_vbs,
  CASE
    WHEN LOWER("CommandLine") LIKE '%wscript.shell%'
      OR LOWER("CommandLine") LIKE '%shell.application%'
      OR LOWER("CommandLine") LIKE '%powershell%'
      OR LOWER("CommandLine") LIKE '%cmd /c%' THEN 2
    ELSE 0
  END AS shell_score,
  CASE
    WHEN LOWER("CommandLine") LIKE '%msxml2.xmlhttp%'
      OR LOWER("CommandLine") LIKE '%winhttp%'
      OR LOWER("CommandLine") LIKE '%adodb.stream%' THEN 2
    ELSE 0
  END AS net_score,
  CASE
    WHEN LOWER("CommandLine") LIKE '%winmgmts%'
      OR LOWER("CommandLine") LIKE '%win32_process%' THEN 2
    ELSE 0
  END AS wmi_score
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("ImageFileName") LIKE '%\\wscript.exe'
    OR LOWER("ImageFileName") LIKE '%\\cscript.exe'
    OR LOWER("ImageFileName") LIKE '%\\mshta.exe'
  )
  AND LAST 24 HOURS
HAVING (is_hta + is_vbs + shell_score + net_score + wmi_score) > 0
ORDER BY event_time DESC
high severity high confidence

AQL query detecting wscript.exe, cscript.exe, and mshta.exe process executions containing VBScript-related suspicious indicators including shell spawning, network download objects, WMI execution, and HTA/VBS file invocation, with suspicion scoring aligned to T1059.005 behavioral patterns.

Data Sources

Microsoft Windows Security Event Log (EventID 4688)Sysmon Operational Log (EventID 1)QRadar DSM for Windows

Required Tables

events

False Positives & Tuning

  • Enterprise patch management or software distribution systems (e.g., PDQ Deploy, Altiris) that invoke wscript.exe or cscript.exe for deployment scripts
  • Legacy web application portals using mshta.exe to render internal HTML Applications for IT operations
  • Antivirus or EDR products running VBScript-based cleanup or remediation tasks post-quarantine
Download portable Sigma rule (.yml)

Other platforms for T1059.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.

  3. Test 3VBScript Network Download via XMLHTTP

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.007JavaScriptT1566.001Spearphishing AttachmentT1218.005MshtaT1204.002Malicious FileT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections