Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0209: Analytic 0209

Detects execution of VB-based scripts or macros (VBS/VBA/VBScript) through cscript.exe/wscript.exe, Office-based process chains, or HTA usage. Focuses on chained behavior: Office or HTML container spawns script host > script host spawns PowerShell, network connections, or process injection.

EnterpriseAN0209AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0209 is a Windows detection analytic focused on VB-based script and macro execution patterns, especially when Office or HTML containers launch script hosts such as cscript.exe or wscript.exe and those script hosts then launch PowerShell, make network connections, or show process-injection-related behavior. For leaders, the value is not just finding a script: it is validating whether the organization can see risky script chains that may cross productivity tools, scripting engines, and follow-on execution activity.

Executive priority

Prioritize this analytic where Windows endpoints and Office-based workflows are material to business operations. The decision value is in confirming whether SOC and incident response teams can reconstruct suspicious script-driven process chains quickly enough to support containment, user-impact assessment, audit evidence, and control improvement. Because the supplied object does not include tactics, relationships, or a formal detection query, this should be treated as a coverage validation requirement rather than proof of complete detection capability.

Technical view

SOC and detection engineering teams should validate Windows telemetry for parent-child process chains involving Office or HTML containers spawning cscript.exe or wscript.exe, followed by script host activity such as PowerShell launch, network connections, or process-injection indicators. The analytic description supports behavior-chain detection rather than single-process matching. Testing should focus on whether endpoint, process, command-line, network, and script-host visibility are correlated in the SIEM or detection platform. Tactics are not specified in the supplied ATT&CK fields, so mapping to local use cases should be done carefully and documented separately.

Likely telemetry

  • Windows process creation events with parent/child relationships
  • Command-line arguments for cscript.exe, wscript.exe, PowerShell, Office applications, and HTA-related execution
  • Endpoint telemetry showing Office-based process chains and HTML container activity
  • Network connection telemetry associated with script-host processes
  • Endpoint security telemetry for process injection or suspicious cross-process activity

Detection direction

  • Validate chained behavior, not only the presence of cscript.exe or wscript.exe, because legitimate administration and business processes may use script hosts.
  • Tune around parent processes such as Office or HTML containers spawning script hosts, then enrich with follow-on PowerShell, network, or process-injection-related activity.
  • Confirm that command-line logging and parent-child process relationships are available on Windows endpoints; without them, this analytic may degrade into noisy or incomplete matching.
  • Review false positives from approved macros, login scripts, software deployment tools, and legacy business automation before escalating broadly.
  • Because official detection logic is not provided, document local assumptions, thresholds, exclusions, and test evidence for audit and operational readiness.

Mitigation priorities

  • Inventory legitimate VB/VBA/VBScript and HTA usage so detection teams can distinguish expected business automation from unusual chained execution.
  • Reduce unnecessary script-host and macro execution where business requirements allow, using policy and application control approaches appropriate to the environment.
  • Harden Office macro handling and script execution governance, with exceptions reviewed and owned by business stakeholders.
  • Ensure incident response playbooks include triage steps for Office-to-script-host-to-PowerShell or network activity chains on Windows systems.
  • Use detection validation results to prioritize endpoint logging, SIEM correlation, and control gaps rather than assuming this analytic alone provides full coverage.
Analyst notes and limits

This take is based only on the supplied MITRE analytic fields for AN0209. The object is a detection analytic in the enterprise-attack domain for Windows, with no supplied relationships and no official detection query. The strongest supported interpretation is a behavior-chain detection concept for VB-based scripts or macros using script hosts, Office process chains, HTA usage, and follow-on PowerShell, network, or process-injection-related activity.

No ATT&CK tactics, related techniques, data components, mitigation relationships, or executable detection logic were supplied. Local environment evidence is required to determine relevance, expected false positives, logging sufficiency, and operational coverage. This summary does not claim active exploitation, attribution, guaranteed detection, or exposure.

Official MITRE ATT&CK definition

Analytic 0209

Detects execution of VB-based scripts or macros (VBS/VBA/VBScript) through cscript.exe/wscript.exe, Office-based process chains, or HTA usage. Focuses on chained behavior: Office or HTML container spawns script host > script host spawns PowerShell, network connections, or process injection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b163e03f7f21ff11...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b163e03f7f21…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0209
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use