T1059.005: T1059.005
Essential information
- MITRE technique ID
T1059.005- Confidence
- 100/100
- Revoked
- No
- Published
- 09/03/2020 15:29
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Visual Basic
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (70)
-
Ghostwriter relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gootloader relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gorgon Group relatedThe MITRE Corporation Confidence 100
[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Grandoreiro relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Greedy Sponge relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Higaisa relatedThe MITRE Corporation Confidence 100
[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Homeland Justice relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Horabot relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (72)
-
RustDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DigitalPulse usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OctoRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AMOS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QuasarRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
JCry usesFamily The MITRE Corporation Confidence 100
[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Emotet usesFamily The MITRE Corporation Confidence 100
[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salve usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SneakMain usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Helminth usesFamily The MITRE Corporation Confidence 100
[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one…
First seen 01/01/1970 · Last seen 16/11/5138 · -
QUADAGENT usesFamily The MITRE Corporation Confidence 100
[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
11 MITREs 8 Observables 1 APT
-
26 MITREs 11 Observables
-
1 CVE 19 MITREs 1 Malware 13 Observables
-
18 MITREs 2 Malwares 1 Observable 1 APT
-
8 MITREs 2 Malwares 7 Observables 1 APT
-
13 MITREs 4 Malwares 1 APT
-
11 MITREs 3 Malwares 5 Observables
-
18 MITREs 2 Malwares 8 Observables
-
14 MITREs 1 Malware 2 Observables 1 APT
-
20 MITREs 2 Malwares 4 Observables
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
10 MITREs 3 Malwares
Vulnerabilities (CVE) (37)
NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a user could cause improper access …
- Attack vector
- Local
- Complexity
- Low
- Published
- 26/05/2026
- Modified
- 25/06/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …
- Attack vector
- Network
- Published
- 26/08/2025
- Modified
- 27/05/2026
- Published
- 20/12/2025
- Modified
- 21/12/2025
Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass …
- Attack vector
- Network
- Complexity
- LOW
- Published
- 13/08/2024
- Modified
- 06/06/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled …
- Attack vector
- Network
- Published
- 10/02/2023
- Modified
- 21/12/2025
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by …
- Attack vector
- NETWORK
- Published
- 07/08/2024
- Modified
- 21/12/2025
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.
- Attack vector
- Network
- Published
- 15/08/2024
- Modified
- 21/12/2025
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
Campaign (2)
-
FunnyDream uses
-
Juicy Mix uses