CVE-2026-8398 Sumo Logic CSE · Sumo

Detect Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) in Sumo Logic CSE

CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Command and Control

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/windows* OR _sourceCategory=sysmon*
| json auto
| where %"process.name" matches /(?i)(daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/
   OR %"process.parent.name" matches /(?i)(daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/
| where !(%"process.name" matches /(?i)(conhost\.exe)/)
| eval is_child_spawn = if(%"process.parent.name" matches /(?i)(daemon\.exe|DTLite\.exe|DTAgent\.exe|DTShellHlp\.exe)/, "yes", "no")
| stats count AS event_count, first(%"@timestamp") AS first_seen, last(%"@timestamp") AS last_seen, values(%"process.name") AS process_names, values(%"process.command_line") AS command_lines BY _sourceHost, %"user.name", is_child_spawn
| where event_count > 0
| sort by event_count desc
critical severity medium confidence

Sumo Logic query detecting suspicious process activity tied to Daemon Tools Lite components, including unexpected child process spawning that may indicate execution of embedded malicious payloads from CVE-2026-8398.

Data Sources

Sumo Logic Cloud SIEMSysmonWindows Event Log

Required Tables

endpoint/windowssysmon

False Positives & Tuning

  • Legitimate Daemon Tools Lite helper processes spawned during virtual drive operations
  • Automated software update checks contacting known Daemon Tools domains
  • Security tooling processes that parent Daemon Tools during scanning or sandboxing

Other platforms for CVE-2026-8398

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Trojanized Software Child Process Spawning

    Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship

  2. Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary

    Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection

  3. Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key

    Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled

  4. Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline

    Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0011Command and Control

Related Techniques

T1195.002Compromise Software Supply ChainT1059Command and Scripting InterpreterT1071Application Layer Protocol

Same Tactic: Initial Access

Popular Detections