Hide Artifacts: VBA Stomping

Other sub-techniques of Hide Artifacts (14)

ID	Name
ATAGS-T1096.001	Bind Mounts
ATAGS-T1096.002	Email Hiding Rules
ATAGS-T1096.003	Extended Attributes
ATAGS-T1096.004	File/Path Exclusions
ATAGS-T1096.005	Hidden File System
ATAGS-T1096.006	Hidden Files and Directories
ATAGS-T1096.007	Hidden Users
ATAGS-T1096.008	Hidden Window
ATAGS-T1096.009	Ignore Process Interrupts
ATAGS-T1096.010	NTFS File Attributes
ATAGS-T1096.011	Process Argument Spoofing
ATAGS-T1096.012	Resource Forking
ATAGS-T1096.013	Run Virtual Instance
ATAGS-T1096.014	VBA Stomping

Threat Actors may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.

ID: ATAGS-T1096.014

Sub-technique of: ATAGS-T1096

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.