AhnLab EPP

Subscribe
Download 352
Last updated Dec 2, 2025

PowerShell or VBA Detected

Detects attempts to execute PowerShell or VBA scripts in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects command-line execution attempts using signatures such as Downloader/PS.Agent, Downloader/PowerShell.Agent.SC186725, VBA/Malma, etc. Therefore, alerts are extracted when the signature field contains PowerShell.Agent., starts with VBA/*, or ends with PS.Agent.

| search in(signature, "*PS.Agent", "*PowerShell.Agent.*", "VBA/*")

Message

  • AhnLab EPP V3 Command-Line and PowerShell Execution Detected: Host $host_ip, Malware $signature

Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • PowerShell and VBA scripts provide powerful automation and command execution capabilities in Windows environments, making them frequently exploited by attackers for initial payload download, additional malware execution, and system information gathering.
  • PowerShell becomes more difficult to detect when combined with in-memory execution, obfuscation, or logging evasion techniques, and VBA macros remain a primary tool in email-based spear-phishing attacks.
  • Detection of such script execution indicates that a malicious document or script may have run without the user’s knowledge, requiring immediate verification.

False Positive

  • IT operations teams may use PowerShell legitimately for management scripts, automation tasks, or software deployment, which can trigger detections.
  • Normal VBA-based operations within internal Excel or Word documents may also result in false positives.

Response Actions

  • Verify with the user or IT operations team whether the detected script file is legitimate, and review the script contents and execution path.
  • If the file is malicious, analyze the endpoint’s download activity and process tree to identify the malware infiltration vector.
  • Consider the possibility of spear-phishing, review related email attachments and sender information, and isolate the endpoint if necessary.
  • Review and strengthen organizational security configurations such as PowerShell execution policies (Constrained Language Mode), macro security settings, and AMSI enforcement.

MITRE ATT&CK