Visual Basic
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications. VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support). Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source. Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.
Observed actors
G0082SideCopy
G1008Kimsuky
G0094Patchwork
G0040Gorgon Group
G0078APT32
G0050MuddyWater
G0069Gamaredon Group
G0047FIN7
G0046Sandworm Team
G0034Machete
G0095Sidewinder
G0121Mustang Panda
G0129APT39
G0087TA2541
G1018APT37
G0067OilRig
G0049Higaisa
G0126TA459
G0062Confucius
G0142Leviathan
G0065Turla
G0010TA505
G0092RedCurl
G1039APT29
G0016BRONZE BUTLER
G0060LazyScripter
G0140Windshift
G0112Malteiro
G1026APT-C-36
G0099Lazarus Group
G0032Earth Lusca
G1006FIN4
G0085Silence
G0091Cobalt Group
G0080Molerats
G0021Transparent Tribe
G0134Inception
G0100HEXANE
G1001Rancor
G0075WIRTE
G0090Magic Hound
G0059APT33
G0064FIN13
G1016
Correlated CTI and IR reports
PwC · direct source mappingAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mention