T1564.007 VBA Stomping Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "msaccess.exe", "mspub.exe", "visio.exe", "outlook.exe", "onenote.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "bitsadmin.exe", "certutil.exe", "msiexec.exe", "wmic.exe", "odbcconf.exe", "forfiles.exe", "schtasks.exe", "at.exe", "pcalua.exe", "installutil.exe", "regasm.exe", "regsvcs.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
| where FileName has_any (SuspiciousChildren)
| extend IsPowerShell = FileName in~ ("powershell.exe", "pwsh.exe")
| extend IsScriptHost = FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| extend IsLOLBin = FileName in~ ("rundll32.exe", "regsvr32.exe", "certutil.exe", "odbcconf.exe", "bitsadmin.exe", "installutil.exe", "regasm.exe", "regsvcs.exe")
| extend IsShell = FileName =~ "cmd.exe"
| extend IsPersistence = FileName in~ ("schtasks.exe", "at.exe", "msiexec.exe")
| extend RiskScore = toint(IsPowerShell) * 3 + toint(IsScriptHost) * 3 + toint(IsLOLBin) * 2 + toint(IsShell) * 1 + toint(IsPersistence) * 2
| extend SuspiciousCommandLine = ProcessCommandLine has_any ("-enc", "-EncodedCommand", "DownloadString", "Net.WebClient", "Invoke-Expression", "IEX", "http://", "https://", "-nop", "-noprofile")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessFolderPath, FolderPath,
         IsPowerShell, IsScriptHost, IsLOLBin, IsShell, IsPersistence,
         SuspiciousCommandLine, RiskScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe"
   OR ParentImage="*\\msaccess.exe" OR ParentImage="*\\mspub.exe" OR ParentImage="*\\outlook.exe"
   OR ParentImage="*\\onenote.exe")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\wmic.exe" OR Image="*\\bitsadmin.exe"
   OR Image="*\\schtasks.exe" OR Image="*\\installutil.exe" OR Image="*\\regasm.exe"
   OR Image="*\\odbcconf.exe")
| eval IsPowerShell=if(match(Image, "(powershell\.exe|pwsh\.exe)$"), 1, 0)
| eval IsScriptHost=if(match(Image, "(wscript\.exe|cscript\.exe|mshta\.exe)$"), 1, 0)
| eval IsLOLBin=if(match(Image, "(rundll32\.exe|regsvr32\.exe|certutil\.exe|odbcconf\.exe|bitsadmin\.exe|installutil\.exe|regasm\.exe)$"), 1, 0)
| eval IsShell=if(match(Image, "cmd\.exe$"), 1, 0)
| eval IsPersistence=if(match(Image, "(schtasks\.exe|at\.exe|msiexec\.exe)$"), 1, 0)
| eval cl_lower=lower(CommandLine)
| eval SuspiciousCommandLine=if(match(cl_lower, "(-enc|-encodedcommand|downloadstring|net\.webclient|invoke-expression|iex|http://|https://|-nop|-noprofile)"), 1, 0)
| eval RiskScore=IsPowerShell*3 + IsScriptHost*3 + IsLOLBin*2 + IsShell + IsPersistence*2 + SuspiciousCommandLine*2
| table _time, host, User, ParentImage, ParentCommandLine, Image, CommandLine,
        IsPowerShell, IsScriptHost, IsLOLBin, IsShell, IsPersistence, SuspiciousCommandLine, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : ("winword.exe","excel.exe","powerpnt.exe","msaccess.exe",
                           "mspub.exe","visio.exe","outlook.exe","onenote.exe") and
  process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe",
                   "mshta.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe",
                   "certutil.exe","msiexec.exe","wmic.exe") and
  not (process.parent.name == "winword.exe" and process.name == "csc.exe")

high severity medium confidence

Data Sources

Windows Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "ParentImage" as OfficeApp, "Image" as ChildProcess, "CommandLine" as CommandLine,
  CASE WHEN "Image" ILIKE '%powershell.exe%' OR "Image" ILIKE '%pwsh.exe%' THEN 10
       WHEN "Image" ILIKE '%mshta.exe%' OR "Image" ILIKE '%wscript.exe%' THEN 9
       WHEN "Image" ILIKE '%cmd.exe%' THEN 8
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND LOWER(coalesce("ParentImage","")) LIKE ANY
    ('%winword.exe%','%excel.exe%','%powerpnt.exe%','%msaccess.exe%','%mspub.exe%','%outlook.exe%')
  AND LOWER("Image") LIKE ANY
    ('%cmd.exe%','%powershell.exe%','%pwsh.exe%','%wscript.exe%','%cscript.exe%',
     '%mshta.exe%','%rundll32.exe%','%regsvr32.exe%','%bitsadmin.exe%','%certutil.exe%','%wmic.exe%')
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Windows Sysmon

Required Tables

events

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| eval ParentLower = toLower(coalesce(ParentImage, ParentProcessName, ""))
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| where ParentLower matches ".*(winword|excel|powerpnt|msaccess|mspub|outlook|onenote)\.exe.*"
| where ImageLower matches ".*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|bitsadmin|certutil|wmic)\.exe.*"
| eval risk = case(
    ImageLower matches ".*(powershell|pwsh|mshta|wscript).*", "critical",
    ImageLower matches ".*(cmd|bitsadmin|certutil).*", "high",
    true(), "medium")
| table _time, Computer, User, ParentImage, Image, CommandLine, risk
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows Security via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

Google Chronicle / SecOps

yaral

rule office_suspicious_child_process {
  meta:
    author = "Detection Engineering"
    description = "Detects Office apps spawning suspicious child processes — VBA stomping indicator (T1564.007)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|msaccess|mspub|outlook|onenote)\.exe`) nocase
    re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|bitsadmin|certutil|wmic)\.exe`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(winword|excel|powerpnt|msaccess|mspub|outlook|onenote)\.exe/i
| ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|bitsadmin|certutil|wmic)\.exe$/i
| eval risk = case {
    ImageFileName = /(powershell|pwsh|mshta|wscript)\.exe$/i : "critical";
    ImageFileName = /(cmd|bitsadmin|certutil|regsvr32)\.exe$/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts

VBA Stomping

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections