Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in IBM QRadar
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time, sourceip, destinationip, destinationport, username, "Application" AS application, "Process Name" AS process_name, "Parent Process Name" AS parent_process_name, "Command" AS command_line, QIDNAME(qid) AS event_name, logsourcename(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
LOWER("Process Name") LIKE '%daemon.exe%'
OR LOWER("Process Name") LIKE '%dtlite.exe%'
OR LOWER("Process Name") LIKE '%dtagent.exe%'
OR LOWER("Process Name") LIKE '%dtshellhlp.exe%'
OR LOWER("Parent Process Name") LIKE '%daemon.exe%'
OR LOWER("Parent Process Name") LIKE '%dtlite.exe%'
OR LOWER("Parent Process Name") LIKE '%dtagent.exe%'
OR LOWER("Parent Process Name") LIKE '%dtshellhlp.exe%'
)
AND NOT (
LOWER("Process Name") LIKE '%conhost.exe%'
OR destinationip IS NULL
)
ORDER BY starttime DESC
LAST 24 HOURSQRadar AQL query identifying process execution and network activity associated with Daemon Tools Lite binaries, surfacing potential indicators of the embedded malicious code described in CVE-2026-8398.
Data Sources
Required Tables
False Positives & Tuning
- Standard Daemon Tools Lite disk image mount/unmount operations triggering expected helper processes
- Legitimate outbound connections to Daemon Tools update or licensing servers
- Endpoint security agents instrumenting Daemon Tools processes during normal scanning
Other platforms for CVE-2026-8398
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Software Child Process Spawning
Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship
- Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary
Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection
- Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key
Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled
- Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline
Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory
Unlock Pro Content
Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.