KQL Search

Query Details

HomeAI ToolsDevice Query

VB Script Usage Detection

Query

//KQL Query to identify usage of VBScript engine and artefacts in your environment
//Helps prepare for upcoming VBScript deprecation
// Sentinel
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where TimeGenerated > ago(30d)
| where ProcessCommandLine has_any ("wscript", "Wscript.Shell", "WScript.CreateObject", "cscript", "vbscript")
| extend CommandLine = parse_command_line(ProcessCommandLine, "windows")
| mv-expand CommandLine
| where CommandLine has ".vbs"
| summarize Count = count() by VBScript = tostring(CommandLine)

// Defender XDR
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("wscript", "Wscript.Shell", "WScript.CreateObject", "cscript", "vbscript")
| extend CommandLine = parse_command_line(ProcessCommandLine, "windows")
| mv-expand CommandLine
| where CommandLine has ".vbs"
| summarize Count = count() by VBScript = tostring(CommandLine)

Explanation

This KQL query is designed to help identify the usage of the VBScript engine and related artifacts within your environment, which is useful for preparing for the upcoming deprecation of VBScript. The query does the following:

  1. Data Source: It pulls data from three tables: DeviceProcessEvents, DeviceNetworkEvents, and DeviceEvents.

  2. Time Frame: It focuses on events that have occurred in the last 30 days.

  3. Filtering: It looks for processes where the command line includes specific keywords associated with VBScript usage, such as "wscript", "Wscript.Shell", "WScript.CreateObject", "cscript", and "vbscript".

  4. Command Line Parsing: It parses the command line data to extract individual components.

  5. VBScript Identification: It further filters the data to find command lines that include ".vbs", which indicates the use of VBScript files.

  6. Summarization: Finally, it counts the occurrences of each unique VBScript command line and presents the results, allowing you to see how often and in what context VBScript is being used in your environment.

Details

Nicola Suter profile picture

Nicola Suter

Released: November 10, 2024

Tables

DeviceProcessEventsDeviceNetworkEventsDeviceEvents

Keywords

DeviceProcessEventsDeviceNetworkEventsDeviceEventsVBScriptUsageVBScriptDeprecationSentinelDefenderXDR

Operators

unionwherehas_anyextendparse_command_linemv-expandsummarizecounttostringago

Actions