Command and Scripting Interpreter: Visual Basic `T1059.005`

Tactic: Execution

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

Events covered

21 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 8	CreateRemoteThread
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Sysmon	Event ID 19	WmiEvent (WmiEventFilter activity detected)
Sysmon	Event ID 20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	Event ID 21	WmiEvent (WmiEventConsumerToFilter activity detected)
Sysmon	Event ID 22	DNSEvent (DNS query)
Security-Auditing	Event ID 4688	A new process has been created.
Defender-DeviceEvents	ClrUnbackedModuleLoaded	CLR unbacked module loaded
ESF	exec	Process Execution (Notify)
AppLocker	Event ID 8004	FilePathBuffer was prevented from running.
AppLocker	Event ID 8007	FilePathBuffer was prevented from running.
AppLocker	Event ID 8022	PackageBuffer was prevented from running.
AppLocker	Event ID 8025	PackageBuffer was prevented from running.
DotNETRuntime	Event ID 152	ModuleID=ModuleID.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 62 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (46 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	27	`ends_with` 20, `contains` 3, `wildcard` 3, `in` 1, `ne` 1	`\cscript.exe`, `\wscript.exe`, `\cmd.exe`, `\mshta.exe`, `\certutil.exe`
`process_name`	25	`eq` 17, `in` 5, `regex_match` 4, `starts_with` 1	`cscript.exe`, `wscript.exe`, `cmd.exe`, `powershell.exe`, `mshta.exe`
`CommandLine`	23	`contains` 19, `regex_match` 2, `ends_with` 1, `is_not_null` 1, `wildcard` 1	`(?i)(w\|c)script.{1,}?\.\w{2,4}`, `://`, `\\\\`, `gathernetworkinfo.vbs`, `/c ping.exe -n 6 127.0.0.1 & type`
`parent_process_name`	20	`eq` 12, `in` 4, `regex_match` 4	`mshta.exe`, `cscript.exe`, `7zFM.exe`, `cmd.exe`, `explorer.exe`
`event.type`	16	`eq` 16	`start`, `change`, `creation`
`OriginalFileName`	14	`eq` 13, `in` 1	`cscript.exe`, `cmd.exe`, `wscript.exe`, `powershell.exe`, `wmic.exe`
`EventID`	10	`eq` 10	`1`, `4688`, `22`, `4104`
`process.args`	8	`eq` 3, `wildcard` 3, `ends_with` 1, `is_not_null` 1, `starts_with` 1	`Reflection.Assembly`, `downloadstring`, `http`, `-i`, `-n`
`EventType`	7	`eq` 5, `starts_with` 2	`Image loaded`, `start`, `ClrUnbackedModuleLoaded`, `creation`, `exec`
`ParentImage`	7	`ends_with` 7, `eq` 1, `starts_with` 1	`\bginfo.exe`, `\bginfo64.exe`, `\cscript.exe`, `\mshta.exe`, `\bun.exe`
`TargetFilename`	4	`contains` 3, `ends_with` 2	`.exe`, `.js`, `.jse`, `.vba`, `.vbs`
`event.category`	4	`eq` 4	`process`, `driver`, `library`
`ParentCommandLine`	3	`contains` 3, `regex_match` 1	`(?:[Pp]rogram[Dd]ata\|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%\|\\[Aa]p...`, `-encoded` , `//e:vbscript`, `:\perflogs\`, `\nessus_`
`dll.name`	3	`eq` 3	`msxml3.dll`, `taskschd.dll`, `wmiutils.dll`
`process.args_count`	3	`ge` 2, `eq` 1	`2`

Top indicator values (533 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticCommand and Scripting Interpreter via Windows Scripts elasticExecution of a Downloaded Windows Script elasticMicrosoft Build Engine Started by a Script Process elasticMicrosoft Management Console File from Unusual Path elasticScript Execution via Microsoft HTML Application elasticScript Interpreter Connection to Non-Standard Port elasticService Control Spawned via Script Interpreter elasticSuspicious .NET Code Compilation elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Executing PowerShell elasticWindows Script Execution from Archive elasticWindows Script Interpreter Executing Process via WMI	14	606
`Image`	`ends_with`	`\cscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential APT10 Cloud Hopper Activity sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaPotential Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaRegistry Tampering by Potentially Suspicious Processes sigmaSuspicious Child Process Of BgInfo.EXE sigmaSuspicious Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaWScript or CScript Dropper - File sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	10	73
`Image`	`ends_with`	`\wscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaPotential QBot Activity sigmaPotential Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaRegistry Tampering by Potentially Suspicious Processes sigmaSuspicious Child Process Of BgInfo.EXE sigmaSuspicious Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaWScript or CScript Dropper - File sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	10	75
`Image`	`ends_with`	`\mshta.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaRegistry Tampering by Potentially Suspicious Processes sigmaSuspicious Child Process Of BgInfo.EXE sigmaWindows Shell/Scripting Processes Spawning Suspicious Programs	5	67
`Image`	`ends_with`	`\cmd.exe` sigmaAxios NPM Compromise Indicators - Windows sigmaHackTool - Koadic Execution sigmaHTML Help HH.EXE Suspicious Child Process sigmaSuspicious Child Process Of BgInfo.EXE	4	130
`Image`	`ends_with`	`\powershell.exe` sigmaAxios NPM Compromise Indicators - Windows sigmaHTML Help HH.EXE Suspicious Child Process sigmaSuspicious Child Process Of BgInfo.EXE	3	182
`Image`	`ends_with`	`\wmic.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Remote SquiblyTwo Technique Execution sigmaXSL Script Execution Via WMIC.EXE	3	60
`process_name`	`eq`	`wscript.exe` elasticDelayed Execution via Ping elasticRemote File Download via Script Interpreter elasticScheduled Task Created by a Windows Script elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process elasticWindows Script Execution from Archive elasticWindows Script Interpreter Executing Process via WMI splunkVbscript Execution Using Wscript App	8	29
`process_name`	`eq`	`cscript.exe` elasticDelayed Execution via Ping elasticRemote File Download via Script Interpreter elasticScheduled Task Created by a Windows Script elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process elasticWindows Script Interpreter Executing Process via WMI splunkExecute Javascript With Jscript COM CLSID	7	25
`process_name`	`eq`	`powershell.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticDelayed Execution via Ping elasticScheduled Task Created by a Windows Script elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process elasticWindows Script Executing PowerShell	6	104
`process_name`	`eq`	`mshta.exe` elasticDelayed Execution via Ping elasticScript Execution via Microsoft HTML Application elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process splunkCisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI	5	31
`process_name`	`eq`	`rundll32.exe` elasticDelayed Execution via Ping elasticScript Execution via Microsoft HTML Application elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process splunkCisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI	5	60
`process_name`	`eq`	`cmd.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticExecution of a Downloaded Windows Script elasticSuspicious Explorer Child Process elasticSuspicious ScreenConnect Client Child Process	4	77
`parent_process_name`	`eq`	`wscript.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticService Control Spawned via Script Interpreter elasticSuspicious .NET Code Compilation elasticWindows Script Executing PowerShell splunkVbscript Execution Using Wscript App	5	11
`parent_process_name`	`eq`	`explorer.exe` elasticExecution of a Downloaded Windows Script elasticSuspicious Explorer Child Process elasticWindows Script Execution from Archive	3	20
`parent_process_name`	`eq`	`mshta.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticService Control Spawned via Script Interpreter elasticSuspicious .NET Code Compilation	3	12
`OriginalFileName`	`eq`	`cscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaPotential Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticWindows Script Interpreter Executing Process via WMI	4	19
`OriginalFileName`	`eq`	`wscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaPotential Reconnaissance Activity Via GatherNetworkInfo.VBS sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticWindows Script Interpreter Executing Process via WMI	4	20
`OriginalFileName`	`eq`	`cmd.exe` sigmaHackTool - Koadic Execution elasticCommand and Scripting Interpreter via Windows Scripts elasticWindows Script Interpreter Executing Process via WMI	3	65
`OriginalFileName`	`eq`	`powershell.exe` sigmaAxios NPM Compromise Indicators - Windows elasticCommand and Scripting Interpreter via Windows Scripts elasticWindows Script Interpreter Executing Process via WMI	3	120
`event.category`	`eq`	`process` elasticMicrosoft Build Engine Started by a Script Process elasticScheduled Task Created by a Windows Script elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Interpreter Executing Process via WMI	4	128
`process_name`	`in`	`cscript.exe` elasticExecution of a Downloaded Windows Script elasticWeb Shell Detection: Script Process Child of Common Web Processes splunkCisco NVM - Susp Script From Archive Triggering Network Activity splunkSuspicious Process DNS Query Known Abuse Web Services	4	20
`process_name`	`in`	`wscript.exe` elasticExecution of a Downloaded Windows Script elasticWeb Shell Detection: Script Process Child of Common Web Processes splunkCisco NVM - Susp Script From Archive Triggering Network Activity splunkSuspicious Process DNS Query Known Abuse Web Services	4	19
`process_name`	`in`	`pwsh.exe` elasticExecution of a Downloaded Windows Script elasticWeb Shell Detection: Script Process Child of Common Web Processes splunkSuspicious Process DNS Query Known Abuse Web Services	3	22
`CommandLine`	`contains`	`.wsf` sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticExecution of a Downloaded Windows Script	3	4
`CommandLine`	`contains`	`.js` sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	2	9
`CommandLine`	`contains`	`.jse` sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	2	3
`CommandLine`	`contains`	`.vba` sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	2	2
`EventID`	`eq`	`1` splunkExecutable Process from Suspicious Folder (Sysmon) splunkMicrosoft Build Engine Suspicious Parent Process (Sysmon) splunkWscript_Cscript Execution (Sysmon)	3	237
`EventID`	`eq`	`4688` splunkExecutable Process from Suspicious Folder (Windows Event Log) splunkMicrosoft Build Engine Suspicious Parent Process (Windows Event Log) splunkWscript_Cscript Execution (Windows Event Log)	3	313

Exclusions (171 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`user.id`	`eq`	`S-1-5-18` elasticCommand and Scripting Interpreter via Windows Scripts elasticDelayed Execution via Ping elasticService Control Spawned via Script Interpreter	3
`Image`	`ends_with`	`\wscript.exe` sigmaRegistry Tampering by Potentially Suspicious Processes sigmaSuspicious Reconnaissance Activity Via GatherNetworkInfo.VBS	2
`process_name`	`regex_match`	`(?i)windowsupdatelog` splunkExecutable Process from Suspicious Folder (Sysmon) splunkExecutable Process from Suspicious Folder (Windows Event Log)	2
`CommandLine`	`contains`	`.\\install\\awk.exe` elasticWeb Shell Detection: Script Process Child of Common Web Processes	1
`CommandLine`	`contains`	`://` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`\\\\` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`\autorun.hta` sigmaWindows Shell/Scripting Processes Spawning Suspicious Programs	1
`CommandLine`	`contains`	`\nessus_` sigmaWindows Shell/Scripting Processes Spawning Suspicious Programs	1
`CommandLine`	`contains`	`\smssetup\bin\` sigmaWindows Shell/Scripting Processes Spawning Suspicious Programs	1
`CommandLine`	`contains`	`c:\mem_configmgr_` sigmaWindows Shell/Scripting Processes Spawning Suspicious Programs	1
`CommandLine`	`contains`	`format:csv` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:hform` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:htable` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:list` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:mof` sigmaXSL Script Execution Via WMIC.EXE	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Command and Scripting Interpreter: Visual Basic `T1059.005`

Events covered

Authoring guide

Fields filtered most (46 distinct)

Top indicator values (533 distinct)

Exclusions (171 distinct)

Rules under this technique

Sigma 28 rules

Elastic 18 rules

Splunk 15 rules

Kusto 1 rule

Keyboard shortcuts

Search operators

Command and Scripting Interpreter: Visual Basic T1059.005

Events covered

Authoring guide

Fields filtered most (46 distinct)

Top indicator values (533 distinct)

Exclusions (171 distinct)

Rules under this technique

Sigma 28 rules

Elastic 18 rules

Splunk 15 rules

Kusto 1 rule

Command and Scripting Interpreter: Visual Basic `T1059.005`