CVE-2026-8398 Elastic Security · Elastic

Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in Elastic Security

CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Command and Control

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and process.name : ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")]
  [any where
    (event.category == "process" and process.parent.name : ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
     and not process.name : ("conhost.exe", "daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe"))
    or
    (event.category == "network" and process.name : ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
     and not destination.ip : ("127.0.0.1", "::1"))
  ]
critical severity medium confidence

EQL sequence rule that correlates Daemon Tools Lite process start events with subsequent suspicious child process spawning or outbound network connections within a 5-minute window.

Data Sources

Elastic EndpointElastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*

False Positives & Tuning

  • Normal Daemon Tools operations that spawn licensed helper binaries
  • Network connectivity to Daemon Tools update infrastructure
  • Virtual machine or container tooling that invokes Daemon Tools as part of image provisioning

Other platforms for CVE-2026-8398

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Trojanized Software Child Process Spawning

    Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship

  2. Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary

    Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection

  3. Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key

    Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled

  4. Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline

    Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0011Command and Control

Related Techniques

T1195.002Compromise Software Supply ChainT1059Command and Scripting InterpreterT1071Application Layer Protocol

Same Tactic: Initial Access

Popular Detections