ID | Name |
---|---|
T1059.001 | PowerShell |
T1059.002 | AppleScript |
T1059.003 | Windows Command Shell |
T1059.004 | Unix Shell |
T1059.005 | Visual Basic |
T1059.006 | Python |
T1059.007 | JavaScript |
T1059.008 | Network Device CLI |
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.[1][2]
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.[3][4] VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).[5]
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).[6]
ID | Name | Description |
---|---|---|
G0099 | APT-C-36 |
APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.[7] |
G0016 | APT29 | |
G0050 | APT32 |
APT32 has used macros, COM scriptlets, and VBS scripts.[9][10] |
G0064 | APT33 |
APT33 has used VBScript to initiate the delivery of payloads.[11] |
G0067 | APT37 |
APT37 executes shellcode and a VBA script to decode Base64 strings.[12] |
G0082 | APT38 |
APT38 has used VBScript to execute commands and other operational tasks.[13] |
G0087 | APT39 | |
S0373 | Astaroth |
Astaroth has used malicious VBS e-mail attachments for execution.[15] |
S0475 | BackConfig |
BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.[16] |
S0234 | Bandook |
Bandook has used malicious VBA code against the target system.[17] |
S0268 | Bisonal |
Bisonal's dropper creates VBS scripts on the victim’s machine.[18][19] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used VBS and VBE scripts for execution.[20][21] |
S0631 | Chaes | |
G0080 | Cobalt Group |
Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.[23][24][25][26][27][28] |
S0154 | Cobalt Strike |
Cobalt Strike can use VBA to perform execution.[29][30][31] |
S0244 | Comnie | |
G0142 | Confucius | |
S0695 | Donut |
Donut can generate shellcode outputs that execute via VBScript.[34] |
S0367 | Emotet |
Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [35][36][37][38][39] |
S0343 | Exaramel for Windows |
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[40] |
S0679 | Ferocious |
Ferocious has the ability to use Visual Basic scripts for execution.[41] |
G0085 | FIN4 |
FIN4 has used VBA macros to display a dialog box and collect victim credentials.[42][43] |
G0046 | FIN7 |
FIN7 used VBS scripts to help perform tasks on the victim's machine.[44][45][46] |
S0696 | Flagpro |
Flagpro can execute malicious VBA macros embedded in .xlsm files.[47] |
G0101 | Frankenstein |
Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.[48] |
G0047 | Gamaredon Group |
Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.[49][50][51][52][53] |
S0477 | Goopy |
Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[10] |
G0078 | Gorgon Group |
Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[54] |
S0531 | Grandoreiro |
Grandoreiro can use VBScript to execute malicious code.[15][55] |
S0170 | Helminth | |
G0126 | Higaisa | |
G0072 | Honeybee |
Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[58] |
S0483 | IcedID | |
G0100 | Inception |
Inception has used VBScript to execute malicious commands and payloads.[60][61] |
S0528 | Javali |
Javali has used embedded VBScript to download malicious payloads from C2.[15] |
S0389 | JCry | |
S0283 | jRAT | |
S0648 | JSS Loader |
JSS Loader can download and execute VBScript files.[46] |
S0585 | Kerrdown |
Kerrdown can use a VBS base64 decoder function published by Motobit.[64] |
S0387 | KeyBoy |
KeyBoy uses VBS scripts for installing files and performing execution.[65] |
G0094 | Kimsuky |
Kimsuky has used Visual Basic to download malicious payloads.[66][67][68][69] Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.[69] |
S0250 | Koadic |
Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[70] |
S0669 | KOCTOPUS |
KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.[71] |
G0032 | Lazarus Group |
Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.[72][73][74][75] |
G0140 | LazyScripter |
LazyScripter has used VBScript to execute malicious code.[71] |
G0065 | Leviathan | |
S0447 | Lokibot |
Lokibot has used VBS scripts and XLS macros for execution.[77] |
S0582 | LookBack |
LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.[78] |
G0095 | Machete |
Machete has embedded malicious macros within spearphishing attachments to download additional files.[79] |
G0059 | Magic Hound |
Magic Hound malware has used VBS scripts for execution.[80] |
S0530 | Melcoz | |
S0455 | Metamorfo | |
G0021 | Molerats |
Molerats used various implants, including those built with VBScript, on target machines.[82][83] |
G0069 | MuddyWater |
MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[84][85][86][87][88][89][90][91] |
G0129 | Mustang Panda |
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[92][93][94] |
S0228 | NanHaiShu |
NanHaiShu executes additional VBScript code on the victim's machine.[95] |
S0336 | NanoCore | |
S0198 | NETWIRE | |
G0049 | OilRig |
OilRig has used VBSscipt macros for execution on compromised hosts.[99] |
S0264 | OopsIE |
OopsIE creates and uses a VBScript as part of its persistent execution.[100][101] |
G0116 | Operation Wocao |
Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.[102] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D uses Word macros for execution.[103] |
G0040 | Patchwork |
Patchwork used Visual Basic Scripts (VBS) on victim machines.[104][105] |
S0428 | PoetRAT |
PoetRAT has used Word documents with VBScripts to execute malicious activities.[106][107] |
S0441 | PowerShower |
PowerShower has the ability to save and execute VBScript.[60] |
S0223 | POWERSTATS |
POWERSTATS can use VBScript (VBE) code for execution.[88][108] |
S0147 | Pteranodon |
Pteranodon can use a malicious VBS file for execution.[109] |
S0650 | QakBot |
QakBot can use VBS to download and execute malicious files.[110][111][112][113][114][115] |
S0269 | QUADAGENT | |
S0458 | Ramsay |
Ramsay has included embedded Visual Basic scripts in malicious documents.[117][118] |
G0075 | Rancor |
Rancor has used VBS scripts as well as embedded macros for execution.[119] |
S0375 | Remexi |
Remexi uses AutoIt and VBS scripts throughout its execution process.[120] |
S0496 | REvil |
REvil has used obfuscated VBA macros for execution.[121][122] |
S0240 | ROKRAT | |
G0034 | Sandworm Team |
Sandworm Team has created VBScripts to run an SSH server.[124][125][126][127] |
G0104 | Sharpshooter |
Sharpshooter's first-stage downloader was a VBA macro.[128] |
S0589 | Sibot | |
G0121 | Sidewinder |
Sidewinder has used VBScript to drop and execute malware loaders.[130] |
G0091 | Silence | |
S0226 | Smoke Loader |
Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[132] |
S0380 | StoneDrill |
StoneDrill has several VBS scripts used throughout the malware's lifecycle.[133] |
S0559 | SUNBURST |
SUNBURST used VBScripts to initiate the execution of payloads.[134] |
G0062 | TA459 | |
G0092 | TA505 | |
G0134 | Transparent Tribe |
Transparent Tribe has crafted VBS-based malicious documents.[140][141] |
G0010 | Turla | |
S0263 | TYPEFRAME |
TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.[143] |
S0386 | Ursnif |
Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.[144] |
S0442 | VBShower | |
S0689 | WhisperGate |
WhisperGate can use a Visual Basic script to exclude the |
G0112 | Windshift | |
G0090 | WIRTE | |
S0341 | Xbash |
Xbash can execute malicious VBScript payloads on the victim’s machine.[150] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically quarantine suspicious files. |
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content [151]. |
M1042 | Disable or Remove Feature or Program |
Turn off or restrict access to unneeded VB components. |
M1038 | Execution Prevention |
Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.[6] |
M1021 | Restrict Web-Based Content |
Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0011 | Module | Module Load |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.
Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.