1. Home
  2. ATT&CK Techniques
  3. T1059.005 Visual Basic

T1059.005 Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).(Citation: Default VBS macros Blocking )

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1059.005 Visual Basic
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-01.08 End-user device access Mitigates T1059.005 Visual Basic
    Comments
    This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
    References
      PR.PS-01.01 Configuration baselines Mitigates T1059.005 Visual Basic
      Comments
      This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
      References
        PR.PS-01.08 End-user device protection Mitigates T1059.005 Visual Basic
        Comments
        This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
        References
          PR.PS-05.01 Malware prevention Mitigates T1059.005 Visual Basic
          Comments
          Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
          References
            PR.PS-05.02 Mobile code prevention Mitigates T1059.005 Visual Basic
            Comments
            Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
            References
              DE.CM-01.05 Website and service blocking Mitigates T1059.005 Visual Basic
              Comments
              This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads.
              References
                PR.PS-01.08 End-user device protection Mitigates T1059.005 Visual Basic
                Comments
                This diagnostic statement protects against Visual Basic through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CA-07 Continuous Monitoring mitigates T1059.005 Visual Basic
                  CM-06 Configuration Settings mitigates T1059.005 Visual Basic
                  AC-17 Remote Access mitigates T1059.005 Visual Basic
                  SC-18 Mobile Code mitigates T1059.005 Visual Basic
                  SI-16 Memory Protection mitigates T1059.005 Visual Basic
                  SI-02 Flaw Remediation mitigates T1059.005 Visual Basic
                  RA-05 Vulnerability Monitoring and Scanning mitigates T1059.005 Visual Basic
                  CM-08 System Component Inventory mitigates T1059.005 Visual Basic
                  SI-10 Information Input Validation mitigates T1059.005 Visual Basic
                  SI-03 Malicious Code Protection mitigates T1059.005 Visual Basic
                  SI-07 Software, Firmware, and Information Integrity mitigates T1059.005 Visual Basic
                  CM-02 Baseline Configuration mitigates T1059.005 Visual Basic
                  CM-07 Least Functionality mitigates T1059.005 Visual Basic
                  SI-04 System Monitoring mitigates T1059.005 Visual Basic
                  AC-02 Account Management mitigates T1059.005 Visual Basic
                  AC-03 Access Enforcement mitigates T1059.005 Visual Basic
                  AC-06 Least Privilege mitigates T1059.005 Visual Basic

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.005 Visual Basic