1. Home
  2. Detection Strategies
  3. Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)

Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)

Technique Detected:  Visual Basic | T1059.005

ID: DET0076
Domains: Enterprise
Analytics: AN0209, AN0210, AN0211
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0209

Detects execution of VB-based scripts or macros (VBS/VBA/VBScript) through cscript.exe/wscript.exe, Office-based process chains, or HTA usage. Focuses on chained behavior: Office or HTML container spawns script host > script host spawns PowerShell, network connections, or process injection.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
ParentProcess Microsoft Word/Excel or mshta.exe spawning wscript.exe/cscript.exe.
UserContext Script execution by non-admin users or service accounts.
TimeWindow Script execution outside normal business hours or patching cycle.
PayloadEntropyThreshold High entropy indicative of obfuscation or encoding in the script.
ModuleName Loading of vbscript.dll, scrrun.dll, or other scripting engine modules.

AN0210

Detects embedded or emulated VBScript/VBA execution via Wine-based apps, Office for Mac abusing cross-platform .NET features, or macros dropped and invoked via AppleScript or third-party automation tools.

Log Sources
Data Component Name Channel
Script Execution (DC0029) macos:unifiedlog log stream --predicate 'eventMessage contains "wscript" OR "vbs"'
Process Creation (DC0032) macos:osquery process_events
Command Execution (DC0064) macos:syslog system.log
Mutable Elements
Field Description
ScriptLocation Script run from ~/Downloads, ~/Library, or /tmp/
EmulationContext Wine or CrossOver launching legacy Windows scripting engines.
UserContext VB execution from non-standard or shared users on endpoint.

AN0211

Detects abuse of Mono/.NET Core environments to execute VB-like scripts, often in environments with Office emulation or WINE. Focus is on rare invocations of scripting hosts like mono.exe or .NET shells, often seen in spam filtering or forensic labs with Office support.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Script Execution (DC0029) linux:syslog /var/log/syslog
Mutable Elements
Field Description
InterpreterPath Mono/.NET Core binary location may differ per distro or Docker container.
FileExtension .vbs, .vb, or .vba run under non-standard interpreters.
ExecContext Execution by low-privilege users or from /tmp/.