Skip to content

Latest commit

 

History

History
63 lines (38 loc) · 3.01 KB

T1059.005.md

File metadata and controls

63 lines (38 loc) · 3.01 KB

T1059.005 - Visual Basic

Description from ATT&CK

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript/JScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads.

Atomic Tests


Atomic Test #1 - Visual Basic script execution to gather local computer information

Visual Basic execution test, execute vbscript via PowerShell.

When successful, system information will be written to $env:TEMP\T1059.005.out.txt.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
vbscript Path to sample script String PathToAtomicsFolder\T1059.005\src\sys_info.vbs

Attack Commands: Run with powershell!

cscript #{vbscript} > $env:TEMP\out.txt

Cleanup Commands:

Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Sample script must exist on disk at specified location (#{vbscript})
Check Prereq Commands:
if (Test-Path #{vbscript}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force