T1059.005 Visual Basic Mappings

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads.


NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-2 Baseline Configuration Protects T1059.005 Visual Basic
CM-6 Configuration Settings Protects T1059.005 Visual Basic
CM-7 Least Functionality Protects T1059.005 Visual Basic
CM-8 System Component Inventory Protects T1059.005 Visual Basic
RA-5 Vulnerability Monitoring and Scanning Protects T1059.005 Visual Basic
SC-18 Mobile Code Protects T1059.005 Visual Basic
SI-10 Information Input Validation Protects T1059.005 Visual Basic
SI-2 Flaw Remediation Protects T1059.005 Visual Basic
SI-3 Malicious Code Protection Protects T1059.005 Visual Basic
SI-4 System Monitoring Protects T1059.005 Visual Basic
SI-7 Software, Firmware, and Information Integrity Protects T1059.005 Visual Basic

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.hacking.vector.Command shell Remote shell related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.005 Command and Scripting Interpreter: Visual Basic