EXPLORE
Sign In
← Back to Explore
T1059.005

Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(C...

LinuxmacOSWindows
66
Detections
4
Sources
45
Threat Actors

BY SOURCE

22sigma19sublime18elastic7splunk_escu

PROCEDURES (40)

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Macro4 detections

Auto-extracted: 4 detections for macro

Child Process4 detections

Auto-extracted: 4 detections for child process

Phish3 detections

Auto-extracted: 3 detections for phish

Parent Process3 detections

Auto-extracted: 3 detections for parent process

File Monitoring2 detections

Auto-extracted: 2 detections for file monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Office2 detections

Auto-extracted: 2 detections for office

Attachment2 detections

Auto-extracted: 2 detections for attachment

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Download2 detections

Auto-extracted: 2 detections for download

Remote2 detections

Auto-extracted: 2 detections for remote

Wmi1 detections

Auto-extracted: 1 detections for wmi

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Email1 detections

Auto-extracted: 1 detections for email

Attachment1 detections

Auto-extracted: 1 detections for attachment

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Wmi1 detections

Auto-extracted: 1 detections for wmi

Email Security1 detections

Auto-extracted: 1 detections for email security

Wmi1 detections

Auto-extracted: 1 detections for wmi

Evasion1 detections

Auto-extracted: 1 detections for evasion

Http1 detections

Auto-extracted: 1 detections for http

Registry1 detections

Auto-extracted: 1 detections for registry

Privilege1 detections

Auto-extracted: 1 detections for privilege

Registry1 detections

Auto-extracted: 1 detections for registry

Office1 detections

Auto-extracted: 1 detections for office

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Dns1 detections

Auto-extracted: 1 detections for dns

Office1 detections

Auto-extracted: 1 detections for office

Download1 detections

Auto-extracted: 1 detections for download

Remote1 detections

Auto-extracted: 1 detections for remote

Macro1 detections

Auto-extracted: 1 detections for macro

Office1 detections

Auto-extracted: 1 detections for office

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

THREAT ACTORS (45)

APT-C-36APT32APT33APT37APT38APT39APT42BRONZE BUTLERCobalt GroupConfuciusContagious InterviewEarth LuscaFIN13FIN4FIN7Gamaredon GroupGorgon GroupHEXANEHigaisaInceptionKimsukyLazarus GroupLazyScripterLeviathanMacheteMagic HoundMalteiroMoleratsMuddyWaterMustang PandaOilRigPatchworkRancorRedCurlSandworm TeamSideCopySidewinderSilenceTA2541TA459TA505Transparent TribeTurlaWindshiftWIRTE

DETECTIONS (66)

Adwind RAT / JRAT File Artifact
sigmahigh
AppLocker Prevented Application or Script from Running
sigmamedium
Attachment soliciting user to enable macros
sublimehigh
Attachment with auto-executing macro (unsolicited)
sublimemedium
Attachment with auto-opening VBA macro (unsolicited)
sublimemedium
Attachment with high risk VBA macro (unsolicited)
sublimehigh
Attachment with macro calling executable
sublimehigh
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Excel file with document sharing lure created by Go Excelize
sublimehigh
Attachment: Excel file with suspicious template identifier
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Potential sandbox evasion in Office file
sublimehigh
Attachment: QR code link with base64-encoded recipient address
sublimehigh
Attachment: USDA bid invitation impersonation
sublimemedium
Attachment: XLSX file with suspicious print titles metadata
sublimehigh
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
splunk_escu
Cisco NVM - Susp Script From Archive Triggering Network Activity
splunk_escu
Command and Scripting Interpreter via Windows Scripts
elastichigh
Csc.EXE Execution Form Potentially Suspicious Parent
sigmahigh
Cscript/Wscript Uncommon Script Extension Execution
sigmahigh
Delayed Execution via Ping
elasticlow
Execute Javascript With Jscript COM CLSID
splunk_escu
Execution of a Downloaded Windows Script
elasticmedium
HackTool - CACTUSTORCH Remote Thread Creation
sigmahigh
HackTool - Koadic Execution
sigmahigh
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Management Console File from Unusual Path
elasticmedium
MMC Loading Script Engines DLLs
sigmamedium
Potential Dropper Script Execution Via WScript/CScript
sigmamedium
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
sigmamedium
Potential Remote SquiblyTwo Technique Execution
sigmahigh
Registry Modification Attempt Via VBScript
sigmamedium
Registry Modification Attempt Via VBScript - PowerShell
sigmamedium
Registry Tampering by Potentially Suspicious Processes
sigmamedium
Remote File Download via Script Interpreter
elasticmedium
Remote XSL Script Execution via COM
elasticlow
Scheduled Task Created by a Windows Script
elasticmedium
Script Execution via Microsoft HTML Application
elastichigh
Script Interpreter Connection to Non-Standard Port
elasticmedium
Service Control Spawned via Script Interpreter
elasticlow
Suspicious .NET Code Compilation
elasticmedium
Suspicious Child Process Of BgInfo.EXE
sigmahigh
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious Process DNS Query Known Abuse Web Services
splunk_escu
Suspicious Process With Discord DNS Query
splunk_escu
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
sigmahigh
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Scripting in a WMI Consumer
sigmahigh
Suspicious VBA macros from untrusted sender
sublimehigh
Uncommon Child Process Of BgInfo.EXE
sigmamedium
Vbscript Execution Using Wscript App
splunk_escu
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Outlook Macro Created by Suspicious Process
splunk_escu
Windows Script Executing PowerShell
elasticlow
Windows Script Execution from Archive
elasticmedium
Windows Script Interpreter Executing Process via WMI
elasticmedium
Windows Shell/Scripting Processes Spawning Suspicious Programs
sigmahigh
WScript or CScript Dropper - File
sigmahigh
XSL Script Execution Via WMIC.EXE
sigmamedium