Esc
VBA Stomping - T1564.007
(ATT&CK® Technique)
Definition
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1564007["VBA Stomping"] --> |modifies| OfficeApplicationFile["Office Application File"]; class T1564007 OffensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile"; click T1564007 href "/offensive-technique/attack/T1564.007/"; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | OfficeApplicationFile["Office Application File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1564007["VBA Stomping"] ; class DynamicAnalysis DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | OfficeApplicationFile["Office Application File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1564007["VBA Stomping"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; LocalFilePermissions["Local File Permissions"] --> | restricts | OfficeApplicationFile["Office Application File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1564007["VBA Stomping"] ; class LocalFilePermissions DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEviction["File Eviction"] --> | deletes | OfficeApplicationFile["Office Application File"]; FileEviction["File Eviction"] -.-> | may-evict | T1564007["VBA Stomping"] ; class FileEviction DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; RestoreFile["Restore File"] --> | restores | OfficeApplicationFile["Office Application File"]; RestoreFile["Restore File"] -.-> | may-restore | T1564007["VBA Stomping"] ; class RestoreFile DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | OfficeApplicationFile["Office Application File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1564007["VBA Stomping"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] --> | spoofs | OfficeApplicationFile["Office Application File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1564007["VBA Stomping"] ; class DecoyFile DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] --> | encrypts | OfficeApplicationFile["Office Application File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1564007["VBA Stomping"] ; class FileEncryption DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | OfficeApplicationFile["Office Application File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1564007["VBA Stomping"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] --> | analyzes | OfficeApplicationFile["Office Application File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1564007["VBA Stomping"] ; class FileAnalysis DefensiveTechniqueNode; class OfficeApplicationFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis";