T1059.005 Microsoft Sentinel · KQL

Detect Visual Basic in Microsoft Sentinel

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.005 Visual Basic
Canonical reference
https://attack.mitre.org/techniques/T1059/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPatterns = dynamic([
  "CreateObject", "WScript.Shell", "Shell.Application",
  "Scripting.FileSystemObject", "ADODB.Stream",
  "MSXML2.XMLHTTP", "WinHttp.WinHttpRequest",
  "Environ(", "Shell(", "CallByName",
  "powershell", "cmd /c", "cmd.exe",
  "RegWrite", "RegRead", "RegDelete",
  "GetObject(\"winmgmts", "Win32_Process",
  "-decode", "certutil", "bitsadmin"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousPatterns) or ProcessCommandLine has_any (".vbs", ".vbe", ".wsf", ".hta")
| extend IsHTA = FileName =~ "mshta.exe" or ProcessCommandLine has ".hta"
| extend IsVBS = ProcessCommandLine has_any (".vbs", ".vbe")
| extend ShellExec = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "powershell", "cmd /c")
| extend NetworkDownload = ProcessCommandLine has_any ("MSXML2.XMLHTTP", "WinHttp", "ADODB.Stream")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsHTA, IsVBS, ShellExec, NetworkDownload
| sort by Timestamp desc
high severity high confidence

Detects suspicious Visual Basic execution via Windows Script Host (wscript.exe, cscript.exe) and MSHTA. Identifies VBS/VBE/WSF/HTA script execution with patterns indicating shell command execution, network downloads via COM objects, and registry manipulation. Covers VBScript-based malware delivery used by FIN7, Gamaredon, Mustang Panda, and other threat actors.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate IT administration scripts using VBScript for system configuration and inventory
  • Login scripts deployed via Group Policy that use VBS for drive mapping and printer assignment
  • Legacy business applications that depend on VBScript or HTA interfaces
  • Microsoft Office macros used for approved business automation (finance, HR processes)
Download portable Sigma rule (.yml)

Other platforms for T1059.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.

  3. Test 3VBScript Network Download via XMLHTTP

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.007JavaScriptT1566.001Spearphishing AttachmentT1218.005MshtaT1204.002Malicious FileT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections