title: Visual Basic (T1059.005)
id: df00tech-t1059-005
status: experimental
description: "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as COM and the Native API. Derivative languages include Visual Basic for Applications (VBA) embedded in Microsoft Office documents and VBScript executed via Windows Script Host (wscript.exe/cscript.exe). VBA macros in Office documents remain one of the most prevalent initial access vectors, while VBScript is used in HTA files and standalone scripts for payload delivery and execution."
references:
  - https://attack.mitre.org/techniques/T1059/005/
  - https://df00tech.com/detections/T1059.005
author: df00tech
date: 2026/04/17
tags:
  - attack.t1059.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT administration scripts using VBScript for system configuration and inventory
  - Login scripts deployed via Group Policy that use VBS for drive mapping and printer assignment
  - Legacy business applications that depend on VBScript or HTA interfaces
  - "Microsoft Office macros used for approved business automation (finance, HR processes)"
level: high