Skip to content

DET0076 Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)

Item Value
ID DET0076
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1059.005 (Visual Basic)

Analytics

Windows

AN0209

Detects execution of VB-based scripts or macros (VBS/VBA/VBScript) through cscript.exe/wscript.exe, Office-based process chains, or HTA usage. Focuses on chained behavior: Office or HTML container spawns script host > script host spawns PowerShell, network connections, or process injection.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
ParentProcess Microsoft Word/Excel or mshta.exe spawning wscript.exe/cscript.exe.
UserContext Script execution by non-admin users or service accounts.
TimeWindow Script execution outside normal business hours or patching cycle.
PayloadEntropyThreshold High entropy indicative of obfuscation or encoding in the script.
ModuleName Loading of vbscript.dll, scrrun.dll, or other scripting engine modules.

macOS

AN0210

Detects embedded or emulated VBScript/VBA execution via Wine-based apps, Office for Mac abusing cross-platform .NET features, or macros dropped and invoked via AppleScript or third-party automation tools.

Log Sources
Data Component Name Channel
Script Execution (DC0029) macos:unifiedlog log stream –predicate ‘eventMessage contains “wscript” OR “vbs”’
Process Creation (DC0032) macos:osquery process_events
Command Execution (DC0064) macos:syslog system.log
Mutable Elements
Field Description
ScriptLocation Script run from ~/Downloads, ~/Library, or /tmp/
EmulationContext Wine or CrossOver launching legacy Windows scripting engines.
UserContext VB execution from non-standard or shared users on endpoint.

Linux

AN0211

Detects abuse of Mono/.NET Core environments to execute VB-like scripts, often in environments with Office emulation or WINE. Focus is on rare invocations of scripting hosts like mono.exe or .NET shells, often seen in spam filtering or forensic labs with Office support.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Script Execution (DC0029) linux:syslog /var/log/syslog
Mutable Elements
Field Description
InterpreterPath Mono/.NET Core binary location may differ per distro or Docker container.
FileExtension .vbs, .vb, or .vba run under non-standard interpreters.
ExecContext Execution by low-privilege users or from /tmp/.