Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in Google Chronicle
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_8398_daemon_tools_malicious_code {
meta:
author = "df00tech Detection Engineering"
description = "Detects suspicious child process spawning or network activity from Daemon Tools Lite binaries indicating embedded malicious code (CVE-2026-8398)"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-8398"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)(daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/
$e1.target.process.file.full_path != /(?i)(conhost\.exe|daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/
$e1.principal.hostname = $hostname
// OR network events from daemon tools binaries
$e2.metadata.event_type = "NETWORK_CONNECTION"
$e2.principal.process.file.full_path = /(?i)(daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/
not $e2.target.ip = "127.0.0.1"
not $e2.target.ip = "::1"
$e2.principal.hostname = $hostname
match:
$hostname over 5m
condition:
$e1 or $e2
}Chronicle YARA-L 2.0 rule detecting suspicious process spawning and network communications associated with Daemon Tools Lite binaries that may contain embedded malicious code from CVE-2026-8398.
Data Sources
Required Tables
False Positives & Tuning
- Daemon Tools helper processes launched as part of legitimate virtual disk operations
- Outbound connections to Daemon Tools update servers
- Virtualization or imaging workflows that spawn Daemon Tools as a subprocess
Other platforms for CVE-2026-8398
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Software Child Process Spawning
Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship
- Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary
Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection
- Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key
Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled
- Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline
Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory
Unlock Pro Content
Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.