|T1059.003||Windows Command Shell|
|T1059.008||Network Device CLI|
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.
APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.
APT32 has used macros, COM scriptlets, and VBS scripts.
APT33 has used VBScript to initiate the delivery of payloads.
APT37 executes shellcode and a VBA script to decode Base64 strings.
APT38 has used VBScript to execute commands and other operational tasks.
Astaroth has used malicious VBS e-mail attachments for execution.
BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.
Bandook has used malicious VBA code against the target system.
Bisonal's dropper creates VBS scripts on the victim’s machine.
BRONZE BUTLER has used VBS and VBE scripts for execution.
Bumblebee can create a Visual Basic script to enable persistence.
For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.
Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.
Cobalt Strike can use VBA to perform execution.
DanBot can use a VBA macro embedded in an Excel file to drop the payload.
Donut can generate shellcode outputs that execute via VBScript.
Earth Lusca used VBA scripts.
Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. 
|S0343||Exaramel for Windows||
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.
Ferocious has the ability to use Visual Basic scripts for execution.
FIN4 has used VBA macros to display a dialog box and collect victim credentials.
FIN7 used VBS scripts to help perform tasks on the victim's machine.
Flagpro can execute malicious VBA macros embedded in .xlsm files.
During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.
During FunnyDream, the threat actors used a Visual Basic script to run remote commands.
Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.
Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.
Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.
Grandoreiro can use VBScript to execute malicious code.
HEXANE has used a VisualBasic script named
Inception has used VBScript to execute malicious commands and payloads.
Javali has used embedded VBScript to download malicious payloads from C2.
JSS Loader can download and execute VBScript files.
Kerrdown can use a VBS base64 decoder function published by Motobit.
KeyBoy uses VBS scripts for installing files and performing execution.
Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.
Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .
KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.
Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.
LazyScripter has used VBScript to execute malicious code.
Lokibot has used VBS scripts and XLS macros for execution.
LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.
Machete has embedded malicious macros within spearphishing attachments to download additional files.
Magic Hound malware has used VBS scripts for execution.
Molerats used various implants, including those built with VBScript, on target machines.
MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.
NanHaiShu executes additional VBScript code on the victim's machine.
NETWIRE has been executed through use of VBScripts.
OilRig has used VBSscipt macros for execution on compromised hosts.
OopsIE creates and uses a VBScript as part of its persistent execution.
During Operation CuckooBees, the threat actors executed an encoded VBScript file using
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.
|C0016||Operation Dust Storm||
During Operation Dust Storm, the threat actors used Visual Basic scripts.
For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.
During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.
During Operation Wocao, threat actors used VBScript to conduct reconnaissance on targeted systems.
OSX_OCEANLOTUS.D uses Word macros for execution.
Patchwork used Visual Basic Scripts (VBS) on victim machines.
PoetRAT has used Word documents with VBScripts to execute malicious activities.
PowerShower has the ability to save and execute VBScript.
POWERSTATS can use VBScript (VBE) code for execution.
Pteranodon can use a malicious VBS file for execution.
QakBot can use VBS to download and execute malicious files.
Ramsay has included embedded Visual Basic scripts in malicious documents.
Rancor has used VBS scripts as well as embedded macros for execution.
Remexi uses AutoIt and VBS scripts throughout its execution process.
REvil has used obfuscated VBA macros for execution.
Sandworm Team has created VBScripts to run an SSH server.
SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling
Sidewinder has used VBScript to drop and execute malware loaders.
Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.
For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.
Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an
STARWHALE can use the VBScript function
StoneDrill has several VBS scripts used throughout the malware's lifecycle.
SUNBURST used VBScripts to initiate the execution of payloads.
Transparent Tribe has crafted VBS-based malicious documents.
TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.
Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.
WhisperGate can use a Visual Basic script to exclude the
Xbash can execute malicious VBScript payloads on the victim’s machine.
Anti-virus can be used to automatically quarantine suspicious files.
|M1040||Behavior Prevention on Endpoint||
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content .
|M1042||Disable or Remove Feature or Program||
Turn off or restrict access to unneeded VB components.
Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.
|M1021||Restrict Web-Based Content||
Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.
Monitor for the loading of modules associated with VB languages (ex: vbscript.dll).
Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.