Description
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).(Citation: Default VBS macros Blocking )
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (5)
Disable or Remove Feature or ProgramM1042
Turn off or restrict access to unneeded VB components.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Execution PreventionM1038
Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.(Citation: Default VBS macros Blocking )
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content (Citation: win10_asr).
Restrict Web-Based ContentM1021
Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
Threat Groups (46)
| ID | Group | Context |
|---|---|---|
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) used Visual Basic Scripts (VBS) on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citati... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) has used VBScript code on the victim's machine.(Citation: PTSecurity Higaisa 2020) |
| G0085 | FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used VBA macros to display a dialog box and collect victim credentials.(Citation: FireEye Hacking FI... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used VBScript in its operations.(Citation: Lab52 WIRTE Apr 2019) |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used Visual Basic 6 (VB6) payloads.(Citation: BlackBerry Bahamut) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) used VBA scripts.(Citation: TrendMicro EarthLusca 2022) |
| G0075 | Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has used VBS scripts as well as embedded macros for execution.(Citation: Rancor Unit42 June 2018) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has embedded VBScript components in LNK files to download additional files and automate collect... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has crafted VBS-based malicious documents.(Citation: Proofpoint Operation Transparent Tribe... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has embedded malicious macros in document templates, which executed VBScript. [Gamaredon Grou... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citatio... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz ... |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) has embedded malicious macros within spearphishing attachments to download additional files.(Citation... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used VBScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) paylo... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used a VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling) |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citat... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used VBScript to execute malicious code.(Citation: TrendMicro Confucius APT Feb 2018) |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2... |
Associated Software (69)
| ID | Name | Type | Context |
|---|---|---|---|
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) has used VBS scripts and XLS macros for execution.(Citation: Talos Lokibot Jan 2021) |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can use VBScript to execute malicious code.(Citation: Securelist Brazilian Banking Malware July... |
| S0475 | BackConfig | Malware | [BackConfig](https://attack.mitre.org/software/S0475) has used VBS to install its downloader component and malicious documents with VBA macro code.(Ci... |
| S1030 | Squirrelwaffle | Malware | [Squirrelwaffle](https://attack.mitre.org/software/S1030) has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execut... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .(... |
| S0585 | Kerrdown | Malware | [Kerrdown](https://attack.mitre.org/software/S0585) can use a VBS base64 decoder function published by Motobit.(Citation: Unit 42 KerrDown February 20... |
| S0477 | Goopy | Malware | [Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cyber... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has executed a script named cln.vbs on compromised hosts.(Citation: Mandiant ROADSWEEP August ... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) has been distributed as HTA files with VBScript.(Citation: Kaspersky Adwind Feb 2016) |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) has used VBA macros to execute shellcode.(Citation: HP SVCReady Jun 2022) |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) can use visual basic scripts for first-stage execution.(Citation: Morphisec Snip3 May 2021)(Citation:... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) can execute malicious VBScript payloads on the victim’s machine.(Citation: Unit42 Xbash Sept 2018) |
| S0442 | VBShower | Malware | [VBShower](https://attack.mitre.org/software/S0442) has the ability to execute VBScript files.(Citation: Kaspersky Cloud Atlas August 2019) |
| S0343 | Exaramel for Windows | Malware | [Exaramel for Windows](https://attack.mitre.org/software/S0343) has a command to execute VBS scripts on the victim’s machine.(Citation: ESET TeleBots ... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Ma... |
| S0228 | NanHaiShu | Malware | [NanHaiShu](https://attack.mitre.org/software/S0228) executes additional VBScript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016) |
| S0582 | LookBack | Malware | [LookBack](https://attack.mitre.org/software/S0582) has used VBA macros in Microsoft Word attachments to drop additional files to the host.(Citation: ... |
| S1193 | TAMECAT | Malware | [TAMECAT](https://attack.mitre.org/software/S1193) has used VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling) |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020) |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) can generate shellcode outputs that execute via VBScript.(Citation: Donut Github) |
Related CWE Weaknesses
References
- .NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.
- Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.
- Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.
- Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.
- Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.
- Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.
Frequently Asked Questions
What is T1059.005 (Visual Basic)?
T1059.005 is a MITRE ATT&CK technique named 'Visual Basic'. It belongs to the Execution tactic(s). Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://a...
How can T1059.005 be detected?
Detection of T1059.005 (Visual Basic) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.005?
There are 5 documented mitigations for T1059.005. Key mitigations include: Disable or Remove Feature or Program, Antivirus/Antimalware, Execution Prevention, Behavior Prevention on Endpoint, Restrict Web-Based Content.
Which threat groups use T1059.005?
Known threat groups using T1059.005 include: Patchwork, Higaisa, FIN4, WIRTE, Windshift, Turla, Earth Lusca, Rancor.