Detect Visual Basic in Splunk
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.005 Visual Basic
- Canonical reference
- https://attack.mitre.org/techniques/T1059/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe")
| eval CommandLine=lower(CommandLine)
| eval IsHTA=if(match(Image, "mshta\.exe$") OR match(CommandLine, "\.hta"), 1, 0)
| eval IsVBS=if(match(CommandLine, "\.(vbs|vbe)($|\s|\")"), 1, 0)
| eval ShellExec=if(match(CommandLine, "(wscript\.shell|shell\.application|powershell|cmd\s+/c)"), 1, 0)
| eval NetworkDownload=if(match(CommandLine, "(msxml2\.xmlhttp|winhttp|adodb\.stream)"), 1, 0)
| eval WMIExec=if(match(CommandLine, "(winmgmts|win32_process)"), 1, 0)
| eval SuspicionScore=IsHTA + ShellExec*2 + NetworkDownload*2 + WMIExec*2
| where SuspicionScore > 0 OR IsVBS=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsHTA, IsVBS, ShellExec, NetworkDownload, WMIExec, SuspicionScore
| sort - _timeDetects suspicious VBScript and HTA execution using Sysmon Event ID 1. Evaluates for HTA usage, VBS script execution, shell command invocation, network downloads via COM objects, and WMI execution. Higher-weight scoring for shell execution and network activity as these indicate active exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate IT administration scripts using VBScript for system configuration and inventory
- Login scripts deployed via Group Policy that use VBS for drive mapping and printer assignment
- Legacy business applications that depend on VBScript or HTA interfaces
- Microsoft Office macros used for approved business automation
Other platforms for T1059.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VBScript Execution via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.
- Test 2MSHTA Inline VBScript Execution
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.
- Test 3VBScript Network Download via XMLHTTP
Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.
References (5)
- https://attack.mitre.org/techniques/T1059/005/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.