Visual Basic Command Line Compiler Usage
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Sigma rule (View on GitHub)
1title: Visual Basic Command Line Compiler Usage
2id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
3status: test
4description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Vbc/
7author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
8date: 2020-10-07
9modified: 2021-11-27
10tags:
11 - attack.defense-evasion
12 - attack.t1027.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\vbc.exe'
19 Image|endswith: '\cvtres.exe'
20 condition: selection
21falsepositives:
22 - Utilization of this tool should not be seen in enterprise environment
23level: high
References
-
vbc.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Csc.EXE Execution Form Potentially Suspicious Parent
- Dynamic .NET Compilation Via Csc.EXE
- Dynamic CSharp Compile Artefact
- Potential Application Whitelisting Bypass via Dnx.EXE
- AD Object WriteDAC Access