Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).(Citation: Default VBS macros Blocking )
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1059.005 | Visual Basic |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling the real-time detection of Visual Basic (VB) Adversarial Techniques. This dynamic solution enhances CrowdStrike Falcon, providing early detection and mitigation of cyber threats, all while minimizing system performance impact.
Visual Basic Adversarial Techniques involve attackers leveraging scripting or automation tools such as VBScript or Visual Basic for Applications (VBA) to execute malicious code. These techniques often bypass traditional security defenses by running within trusted applications (like Microsoft Office), enabling attackers to execute payloads without triggering alarms. Intel TDT offers deep visibility into program execution, memory access, and control flow, enabling rapid identification of malicious activities or suspicious patterns indicative of VB-based exploits.
AMS offloads memory scanning tasks to the Intel Integrated GPU, ensuring that scanning does not compromise system performance while providing fast detection of these evasive techniques. By quickly identifying VB-based attacks, such as malicious macros or script injections, this combined solution strengthens defenses against adversaries using Visual Basic as an attack vector.
References
|