DET0076: Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)
This detection strategy matters because Visual Basic execution can be a legitimate business function and an execution path adversaries may abuse. For leade...
Analyst context for executives and security teams
This detection strategy matters because Visual Basic execution can be a legitimate business function and an execution path adversaries may abuse. For leaders, the key decision is not “do we block all VB,” but whether the organization can distinguish expected VBS/VBA/VBScript activity from suspicious execution patterns quickly enough to support incident response and business continuity.
Executive priority
Prioritize validation where Visual Basic is still present in business workflows, especially environments with Windows dependencies, Office automation, scripts, or legacy applications. Because the supplied ATT&CK detection strategy has no official detection text or platform list, leadership should ask for evidence-based coverage: what VB execution is logged, what is normal, who reviews exceptions, and whether SOC/IR teams can investigate related execution activity tied to ATT&CK T1059.005.
Technical view
This object is a detection strategy for ATT&CK T1059.005, Visual Basic, under the Execution tactic. The related technique notes Visual Basic abuse for execution and its interoperability with Windows technologies such as COM and the Native API, while also indicating .NET Framework and cross-platform .NET Core relevance. SOC and detection teams should validate behavioral analytics around Visual Basic execution rather than relying only on file names or extensions. Since no official detection logic is provided, local baselining and environment-specific telemetry are required.
Likely telemetry
- Process creation and command-line telemetry for Visual Basic-related interpreters or hosts where collected
- Script execution logs or script content metadata where available
- Parent-child process relationships showing what launched Visual Basic activity
- File creation, modification, and execution metadata for VBS, VBA, VBScript, or related script artifacts
- User, host, and application context for expected automation or legacy workflows
Detection direction
- Inventory where Visual Basic execution is legitimate before tuning detections, to reduce false positives from administrative scripts, business macros, and legacy automation.
- Validate alerts on unusual parent-child process chains, rare users or hosts, unexpected script locations, abnormal execution times, or Visual Basic activity outside approved workflows.
- Correlate Visual Basic execution with the broader Execution tactic context for T1059.005 rather than treating each script event in isolation.
- Check for blind spots caused by missing process command lines, disabled script logging, incomplete endpoint coverage, or unmanaged legacy systems.
- Because MITRE supplied no official detection text for DET0076, treat any rule implementation as locally derived and require testing against known-good business activity.
Mitigation priorities
- Establish ownership and inventory for approved Visual Basic, VBA, VBS, and VBScript usage.
- Reduce unnecessary legacy script execution where business owners confirm it is no longer required.
- Apply least-privilege and change-control practices to users, hosts, and locations that can create or run scripts.
- Ensure endpoint and SOC logging captures enough execution context to support investigation and audit evidence.
- Document accepted business exceptions so managed detection and incident response teams can distinguish expected automation from suspicious behavior.
Analyst notes and limits
The strongest use of this object is as a coverage-validation prompt: confirm whether the organization can observe and triage Visual Basic execution associated with T1059.005. Relationship context supports focusing on execution behavior and Visual Basic interoperability, but the detection strategy itself does not provide official analytics, data sources, platforms, or implementation guidance.
Official description, official detection text, tactics, and platforms are not provided for DET0076. Platform context comes only from the related T1059.005 technique, which lists Linux, macOS, and Windows. Local environment evidence is required before making coverage, exposure, or control-effectiveness claims.
Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | This object detects Visual Basic. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3a93cdd4a00c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0076Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.