T1027.009 Embedded Payloads Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let EmbeddingPatterns = dynamic([
  "certutil -decode", "certutil -urlcache",
  "expand ", "extrac32",
  "makecab", "expand.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (EmbeddingPatterns)
    and ProcessCommandLine has_any (".exe", ".dll", ".bin", ".dat", ".cfg")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bin"
    | where InitiatingProcessFileName has_any (".pdf", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx")
        or InitiatingProcessFileName in~ ("AcroRd32.exe", "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, FileName,
             FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
)

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

certutil legitimately used by IT for certificate operations or legitimate file decoding in automation scripts
expand.exe used by Windows Update and software installers to decompress cabinet files
Office applications dropping temp files with .bin or .dat extensions during normal document processing
PDF readers extracting embedded attachments from legitimate PDFs (forms, documents with attachments)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.bin" OR TargetFilename="*.shellcode")
  (Image="*\\WINWORD.EXE" OR Image="*\\EXCEL.EXE" OR Image="*\\POWERPNT.EXE"
   OR Image="*\\AcroRd32.exe" OR Image="*\\FoxitPDFReader.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe")
| eval IsOfficeExtract=if(match(Image, "(WINWORD|EXCEL|POWERPNT|AcroRd)"), 1, 0)
| eval IsScriptExtract=if(match(Image, "(wscript|cscript|mshta)"), 1, 0)
| table _time, host, User, TargetFilename, Image, IsOfficeExtract, IsScriptExtract
| sort - _time
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\certutil.exe")
      (CommandLine="*-decode*" OR CommandLine="*-urlcache*")
    | table _time, host, User, Image, CommandLine
]

high severity high confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 11 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

certutil -decode used by IT for legitimate certificate file conversion operations
Office add-ins that legitimately extract DLL components during first-run setup
PDF forms that extract helper executables for PDF form processing
Scripting engines extracting legitimate resource files as part of software installation

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    (
      (
        process.name like~ "certutil.exe" and
        (
          process.command_line like~ "*-decode*" or
          process.command_line like~ "*-urlcache*"
        ) and
        (
          process.command_line like~ "*.exe*" or
          process.command_line like~ "*.dll*" or
          process.command_line like~ "*.bin*" or
          process.command_line like~ "*.dat*" or
          process.command_line like~ "*.cfg*"
        )
      ) or
      (
        process.name in~ ("expand.exe", "extrac32.exe", "makecab.exe") and
        (
          process.command_line like~ "*.exe*" or
          process.command_line like~ "*.dll*" or
          process.command_line like~ "*.bin*"
        )
      )
    )
  ) or
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    file.extension in~ ("exe", "dll", "bin", "shellcode") and
    process.name in~ (
      "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE",
      "AcroRd32.exe", "FoxitPDFReader.exe",
      "wscript.exe", "cscript.exe", "mshta.exe"
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security agent Sysmon via Elastic Agent Windows integration Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

IT administrators legitimately invoking certutil.exe for certificate enrollment, CRL retrieval, or base64 decode of non-malicious payloads during system provisioning or PKI management tasks
Software deployment tools such as SCCM, PDQ Deploy, or Intune Win32 app packaging that use expand.exe or extrac32.exe to stage cabinet-archive installer components containing .exe or .dll files
Office COM add-ins or macro-enabled templates used for legitimate business automation that write helper .dll components to the user profile or temp directories during first-run initialization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name",
  "Command Line",
  "Target File Name",
  QIDNAME(qid) AS "QID Name",
  LOGSOURCETYPENAME(logsourceid) AS "Log Source Type"
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Sysmon'
  )
  AND (
    (
      (
        QIDNAME(qid) ILIKE '%Process Create%'
        OR CATEGORYNAME(category) ILIKE '%process%'
      )
      AND (
        (
          "Process Name" ILIKE '%certutil.exe'
          AND (
            "Command Line" ILIKE '%-decode%'
            OR "Command Line" ILIKE '%-urlcache%'
          )
          AND (
            "Command Line" ILIKE '%.exe%'
            OR "Command Line" ILIKE '%.dll%'
            OR "Command Line" ILIKE '%.bin%'
            OR "Command Line" ILIKE '%.dat%'
          )
        )
        OR (
          (
            "Process Name" ILIKE '%expand.exe'
            OR "Process Name" ILIKE '%extrac32.exe'
            OR "Process Name" ILIKE '%makecab.exe'
          )
          AND (
            "Command Line" ILIKE '%.exe%'
            OR "Command Line" ILIKE '%.dll%'
            OR "Command Line" ILIKE '%.bin%'
          )
        )
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "Target File Name" ILIKE '%.exe'
        OR "Target File Name" ILIKE '%.dll'
        OR "Target File Name" ILIKE '%.bin'
        OR "Target File Name" ILIKE '%.shellcode'
      )
      AND (
        "Process Name" ILIKE '%WINWORD.EXE'
        OR "Process Name" ILIKE '%EXCEL.EXE'
        OR "Process Name" ILIKE '%POWERPNT.EXE'
        OR "Process Name" ILIKE '%AcroRd32.exe'
        OR "Process Name" ILIKE '%FoxitPDFReader.exe'
        OR "Process Name" ILIKE '%wscript.exe'
        OR "Process Name" ILIKE '%cscript.exe'
        OR "Process Name" ILIKE '%mshta.exe'
      )
    )
  )
LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM (custom property extraction required)

Required Tables

events

False Positives

PKI administrators and certificate lifecycle management automation using certutil.exe for legitimate base64 decode, CRL distribution point downloads, or PKCS#12 bundle generation where output file extensions match .bin or .dat
Managed endpoint deployment pipelines (BigFix, Tanium, SCCM) that invoke expand.exe or extrac32.exe to extract cabinet-packaged installer components as part of sanctioned software distribution workflows
Document digitization or DLP inspection tools that temporarily write executable helper components to disk from within Office or Acrobat process contexts during content transformation pipelines

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11)
| parse field=EventData "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=EventData "<Data Name='User'>*</Data>" as User nodrop
| where (
    (
      EventCode = "1"
      and Image matches "(?i).*certutil\.exe$"
      and (
        CommandLine matches "(?i).*-decode.*"
        or CommandLine matches "(?i).*-urlcache.*"
      )
      and (
        CommandLine matches "(?i).*\.exe.*"
        or CommandLine matches "(?i).*\.dll.*"
        or CommandLine matches "(?i).*\.bin.*"
        or CommandLine matches "(?i).*\.dat.*"
      )
    )
    or (
      EventCode = "1"
      and (
        Image matches "(?i).*expand\.exe$"
        or Image matches "(?i).*extrac32\.exe$"
        or Image matches "(?i).*makecab\.exe$"
      )
      and (
        CommandLine matches "(?i).*\.exe.*"
        or CommandLine matches "(?i).*\.dll.*"
        or CommandLine matches "(?i).*\.bin.*"
      )
    )
    or (
      EventCode = "11"
      and (
        TargetFilename matches "(?i).*\.exe$"
        or TargetFilename matches "(?i).*\.dll$"
        or TargetFilename matches "(?i).*\.bin$"
        or TargetFilename matches "(?i).*\.shellcode$"
      )
      and Image matches "(?i).*(WINWORD|EXCEL|POWERPNT|AcroRd32|FoxitPDFReader|wscript|cscript|mshta)\.exe$"
    )
  )
| if (EventCode = "1" and Image matches "(?i).*certutil.*", "certutil_decode",
    if (EventCode = "1", "expand_extract", "office_binary_drop")) as ThreatPattern
| if (EventCode = "1", "Process Execution", "File Creation") as EventType
| fields _time, Computer, User, Image, CommandLine, TargetFilename, EventType, ThreatPattern
| sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows host) Sysmon Operational Event Log (Microsoft-Windows-Sysmon/Operational) Sumo Logic Windows Event Log Source

Required Tables

Sumo Logic index matching _sourceCategory=windows/sysmon

False Positives

Enterprise PKI management scripts that invoke certutil.exe against .bin or .dat encoded certificate payloads during automated certificate rotation or trust anchor updates
Office-integrated Robotic Process Automation (RPA) tools such as UiPath or Automation Anywhere that write helper .exe or .dll components from within WINWORD or EXCEL process context during workflow agent initialization
Anti-malware or EDR product update agents that extract .exe or .dll payload components from within wscript.exe or cscript.exe contexts as part of a scripted signature or definition update routine

Google Chronicle / SecOps

yaral

rule t1027_009_embedded_payloads {
  meta:
    author = "Detection Engineering"
    description = "Detects T1027.009 - Embedded Payloads: certutil decode/urlcache targeting executables or binary file creation by document and script host processes"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.009"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.target.process.file.full_path, `(?i)certutil\.exe$`)
    re.regex($proc.target.process.command_line, `(?i)-(decode|urlcache)`)
    re.regex($proc.target.process.command_line, `(?i)\.(exe|dll|bin|dat|cfg)`)
    $proc_host = $proc.principal.hostname

    $drop.metadata.event_type = "FILE_CREATION"
    re.regex($drop.target.file.full_path, `(?i)\.(exe|dll|bin|shellcode)$`)
    re.regex(
      $drop.principal.process.file.full_path,
      `(?i)(WINWORD|EXCEL|POWERPNT|AcroRd32|FoxitPDFReader|wscript|cscript|mshta)\.exe$`
    )
    $drop_host = $drop.principal.hostname

  condition:
    $proc or $drop
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Windows Endpoint telemetry via Chronicle Bindplane or native feed ingestion

Required Tables

UDM normalized events: PROCESS_LAUNCH, FILE_CREATION

False Positives

Legitimate certutil.exe usage by system administrators to decode base64-encoded certificate blobs or download CRL files with .bin extensions from internal enterprise PKI distribution points
Microsoft Office template or add-in initialization workflows that write helper executables or COM surrogate DLLs to the user's AppData directory during first-run or update processing
Script-based software packaging tools (wscript.exe or cscript.exe driven VBScript installers) that extract application binaries from self-extracting archive scripts as part of a sanctioned deployment procedure

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|FileWritten)$/
| case {
    #event_simpleName = /ProcessRollup2/
    | FileName = /(?i)certutil\.exe$/
    | CommandLine = /(?i)-(decode|urlcache)/
    | CommandLine = /(?i)\.(exe|dll|bin|dat|cfg)/
    | DetectionType := "CertutilDecode" ;

    #event_simpleName = /ProcessRollup2/
    | FileName = /(?i)(expand|extrac32|makecab)\.exe$/
    | CommandLine = /(?i)\.(exe|dll|bin)/
    | DetectionType := "ExpandExtract" ;

    #event_simpleName = /FileWritten/
    | TargetFileName = /(?i)\.(exe|dll|bin|shellcode)$/
    | ImageFileName = /(?i)(WINWORD|EXCEL|POWERPNT|AcroRd32|FoxitPDFReader|wscript|cscript|mshta)\.exe$/
    | DetectionType := "OfficeBinaryDrop"
  }
| table(
    [_time, ComputerName, UserName, FileName, CommandLine,
     ImageFileName, TargetFileName, DetectionType]
  )
| sort(field=_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon sensor (EDR telemetry) Falcon Event Stream (ProcessRollup2, FileWritten event types)

Required Tables

Falcon event stream: #event_simpleName ProcessRollup2, SyntheticProcessRollup2, FileWritten

False Positives

Falcon-monitored endpoints where IT automation invokes certutil.exe for legitimate certificate management operations such as importing root CA certificates or generating PKCS#7 encoded trust bundles with .bin output paths
Enterprise software packaging workflows that use makecab.exe or expand.exe as part of MSI bootstrapper or ClickOnce deployment routines, triggering the ExpandExtract branch during sanctioned application rollouts
Microsoft Office add-ins or third-party COM objects that write new .dll components to the user profile or program files during plugin update cycles, generating OfficeBinaryDrop telemetry from WINWORD.EXE or EXCEL.EXE

Embedded Payloads

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections