Visual Basic Command Line Compiler Usage
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Sigma rule (View on GitHub)
1title: Visual Basic Command Line Compiler Usage
2id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
3status: test
4description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Vbc/
7author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
8date: 2020/10/07
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1027.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\vbc.exe'
19 Image|endswith: '\cvtres.exe'
20 condition: selection
21falsepositives:
22 - Utilization of this tool should not be seen in enterprise environment
23level: high
References
Related rules
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP Execution Process Creation
- DLL Execution via Rasautou.exe
- Indirect Command Execution By Program Compatibility Wizard