Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in Splunk
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security", "crowdstrike:events:sensor")
| eval parent_lower=lower(ParentImage), image_lower=lower(Image)
| where parent_lower IN ("*\\daemon.exe", "*\\dtlite.exe", "*\\dtagent.exe", "*\\dtshellhlp.exe")
OR image_lower IN ("*\\daemon.exe", "*\\dtlite.exe", "*\\dtagent.exe", "*\\dtshellhlp.exe")
| eval is_suspicious_child=if(parent_lower IN ("*\\daemon.exe", "*\\dtlite.exe", "*\\dtagent.exe", "*\\dtshellhlp.exe") AND NOT image_lower IN ("*\\conhost.exe", "*\\daemon.exe", "*\\dtlite.exe", "*\\dtagent.exe"), 1, 0)
| stats count AS event_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(CommandLine) AS command_lines, values(Image) AS child_processes BY host, ParentImage, user
| where is_suspicious_child=1 OR event_count > 0
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - event_countDetects suspicious child process spawning from Daemon Tools Lite binaries using Sysmon process creation events. Targets hosts that may be running the trojanized version of Daemon Tools Lite containing embedded malicious code (CVE-2026-8398).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate child processes spawned during virtual drive mounting operations
- Software update routines initiated by Daemon Tools Lite phoning home to legitimate update endpoints
- Security tooling that instruments or wraps Daemon Tools processes
- Automated testing environments that use Daemon Tools for disk image management
Other platforms for CVE-2026-8398
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Software Child Process Spawning
Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship
- Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary
Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection
- Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key
Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled
- Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline
Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory
Unlock Pro Content
Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.