Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in Microsoft Sentinel
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
KQL Detection Query
let daemonToolsProcesses = DeviceProcessEvents
| where FileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName, InitiatingProcessFileName;
let suspiciousChildren = DeviceProcessEvents
| where InitiatingProcessFileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| where FileName !in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe", "conhost.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, FolderPath, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine;
let networkFromDaemon = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| where RemoteIPType != "Loopback"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
daemonToolsProcesses
| union suspiciousChildren
| union networkFromDaemon
| summarize EventCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceId, DeviceName, FileName, FolderPath, AccountName
| sort by EventCount descDetects suspicious process activity and network connections originating from Daemon Tools Lite binaries, which may indicate execution of embedded malicious code introduced via CVE-2026-8398 supply chain compromise.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Daemon Tools Lite usage performing disk image mounting with expected child processes
- Antivirus or EDR products inspecting Daemon Tools processes and spawning scan-related children
- Software update mechanisms launched by Daemon Tools that contact legitimate update servers
- Virtual drive operations that trigger short-lived helper processes
Other platforms for CVE-2026-8398
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Software Child Process Spawning
Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship
- Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary
Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection
- Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key
Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled
- Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline
Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory
Unlock Pro Content
Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.