T1059.005 Sumo Logic CSE · Sumo

Detect Visual Basic in Sumo Logic CSE

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.005 Visual Basic
Canonical reference
https://attack.mitre.org/techniques/T1059/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventID = "1" or EventCode = "1"
| parse field=Image "*\\*" as image_path, image_name nodrop
| parse field=CommandLine "*" as cmd nodrop
| where image_name in ("wscript.exe", "cscript.exe", "mshta.exe") or
  Image matches "*\\wscript.exe" or Image matches "*\\cscript.exe" or Image matches "*\\mshta.exe"
| eval cmd_lower = toLowerCase(CommandLine)
| eval is_hta = if(image_name = "mshta.exe" or contains(cmd_lower, ".hta"), 1, 0)
| eval is_vbs = if(contains(cmd_lower, ".vbs") or contains(cmd_lower, ".vbe"), 1, 0)
| eval shell_exec = if(
    contains(cmd_lower, "wscript.shell") or
    contains(cmd_lower, "shell.application") or
    contains(cmd_lower, "powershell") or
    contains(cmd_lower, "cmd /c"), 2, 0)
| eval net_download = if(
    contains(cmd_lower, "msxml2.xmlhttp") or
    contains(cmd_lower, "winhttp") or
    contains(cmd_lower, "adodb.stream"), 2, 0)
| eval wmi_exec = if(
    contains(cmd_lower, "winmgmts") or
    contains(cmd_lower, "win32_process"), 2, 0)
| eval encode_exec = if(
    contains(cmd_lower, "-decode") or
    contains(cmd_lower, "certutil") or
    contains(cmd_lower, "bitsadmin"), 2, 0)
| eval suspicion_score = is_hta + is_vbs + shell_exec + net_download + wmi_exec + encode_exec
| where suspicion_score > 0
| fields _messagetime, Computer, User, image_name, CommandLine, ParentImage, ParentCommandLine, is_hta, is_vbs, shell_exec, net_download, wmi_exec, suspicion_score
| sort by _messagetime desc
high severity high confidence

Sumo Logic CSE query detecting suspicious VBScript/HTA execution via wscript.exe, cscript.exe, and mshta.exe with multi-factor suspicion scoring. Identifies shell spawning, network download activity, WMI abuse, and encoded payload delivery consistent with T1059.005 initial access and execution patterns.

Data Sources

Windows Sysmon (EventID 1 - Process Create)Windows Security Event Log (EventID 4688)Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=*windows*sysmon*_sourceCategory=*wineventlog*

False Positives & Tuning

  • IT automation frameworks (Ansible Windows WinRM, PowerShell DSC) that use cscript or wscript as part of configuration management tasks
  • SAP GUI scripting or other enterprise ERP applications that embed VBScript macros executed via wscript.exe
  • Security tools or EDR agents that use mshta.exe to render local HTML-based UI components or health dashboards
Download portable Sigma rule (.yml)

Other platforms for T1059.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with the .vbs file path. Child process event for cmd.exe spawned by wscript.exe. Sysmon Event ID 11: File Create for the .vbs file.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with 'vbscript:Execute' in CommandLine. Child process creation for calc.exe spawned by mshta.exe.

  3. Test 3VBScript Network Download via XMLHTTP

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. AMSI Event: VBScript content inspection may trigger.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.007JavaScriptT1566.001Spearphishing AttachmentT1218.005MshtaT1204.002Malicious FileT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections