MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Execution/ T1059.005

T1059.005Visual Basic

T1059.005 — Visual Basic is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 17 detection use cases covering it and 91 threat-intel articles citing it.

Execution

View on the matrix → Filter Detection Library MITRE official spec ↗

17Use cases

91Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1059 · Command and Scripting Interpreter

Use cases covering this technique (17)

Office app spawning script/LOLBin child process Internal exploit · alerting DSΣP Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI ESCU actions · hunting P Cisco NVM - Susp Script From Archive Triggering Network Activity ESCU actions · hunting P Execute Javascript With Jscript COM CLSID ESCU actions · alerting P Vbscript Execution Using Wscript App ESCU actions · alerting P Windows Outlook Macro Created by Suspicious Process ESCU actions · alerting P Suspicious Process DNS Query Known Abuse Web Services ESCU actions · alerting P Suspicious Process With Discord DNS Query ESCU actions · hunting P [LLM] Earth Dahu / Gamaredon HTA-to-VBScript chain (mshta.exe spawning wscript/cscript) Bespoke delivery · alerting DSΣPDDCS [LLM] axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging Bespoke install · alerting DSΣPDDCS [LLM] cscript/wscript executing a script from .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] cscript.exe launching .vbs from .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke delivery · alerting DSΣPDD [LLM] PowerShell masquerading as Windows Terminal at %PROGRAMDATA%\wt.exe (Axios RAT Windows stage) Bespoke install · alerting DSΣPDDCS [LLM] PowerShell copy masqueraded as Windows Terminal in %PROGRAMDATA% running 6202033.ps1 Bespoke install · alerting DSΣPDD [LLM] APT28 MacroMaze: schtasks creating wscript-launched persistence with 20/30/61-minute repeat Bespoke install · alerting DSΣP [LLM] SnakeStealer Startup-Folder Persistence (ageless.vbs / .exe drop in Programs\Startup) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (91)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01

med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15

high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18

med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23

high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28

crit Rethinking MDR as Attackers and Defenders Embrace AI art-30

high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33

high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41

high npm v12 delivers one of the biggest security improvements in years art-46

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74

crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87

crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92

high When “Hi, This Is IT” Comes Through Microsoft Teams art-98

crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100

crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101

crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102

crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107

crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108

high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114

high Reporting from Vegas: Networking, AI, and good boys art-126

med Type Level Security: The future of secure AI code generation? art-132

crit Malicious npm packages abuse dependency confusion to profile developer environments art-161

crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166

high What MDM can't protect on developer machines (and what to do about it) art-186

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187

crit ESET APT Activity Report Q4 2025–Q1 2026 art-189

med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209

crit Laravel Lang Supply Chain Advisory art-211

high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220

crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236

crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346

high It's time to treat browser extensions like supply chain attack vectors art-354

crit New NGate variant hides in a trojanized NFC payment app art-369

high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408

high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420

high axios compromised on npm: maintainer account hijacked, RAT deployed art-421

high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426

crit EDR killers explained: Beyond the drivers art-455

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

crit Cyber fallout from the Iran war: What to have on your radar art-474

crit Sednit reloaded: Back in the trenches art-477

crit Protecting education: How MDR can tip the balance in favor of schools art-491

crit PlugX Meeting Invitation via MSBuild and GDATA art-503

high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

crit Naming and shaming: How ransomware groups tighten the screws on victims art-544

crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554

high npx Confusion: Packages That Forgot to Claim Their Own Name art-578

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605

crit ESET Threat Report H2 2025 art-647

crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654

med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694

crit ESET APT Activity Report Q2 2025–Q3 2025 art-715

high How MDR can give MSPs the edge in a competitive market art-730

crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736

crit Phishing Campaign Leveraging the NPM Ecosystem art-754

crit CISA KEV: CVE-2011-3402 — Microsoft Windows Remote Code Execution Vulnerability art-762

high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789

high npm Supply Chain Attack via Open Source maintainer compromise art-794

high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806

high Snyk Joins CISA's Secure by Design Pledge art-828

crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837

crit CISA KEV: CVE-2024-4879 — ServiceNow Improper Input Validation Vulnerability art-1200

high A stepping stone towards holistic application risk and compliance management of the Digital Operational Resiliency Act (DORA) art-1211

crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218

high Snyk AppRisk Pro: A holistic approach to application risk management art-1252

crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274

high Defense in Depth art-1278

crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294

high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362

high XS leaks: What they are and how to avoid them art-1419