T1027.009 CrowdStrike LogScale · LogScale

Detect Embedded Payloads in CrowdStrike LogScale

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. Adversaries have been observed embedding payloads as PE overlays, within resource sections of legitimate binaries, inside LNK file ExtraData fields, within Office VBA macros, and nested inside other file types. Notable examples include Emotet embedding executables in dropper binaries, DEADEYE embedding payloads in compiled binaries, Lazarus Group distributing malicious payloads in PNG files, Pikabot loading encrypted chunked PE sections, and Uroburos storing executable payloads in encrypted Queue files.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.009 Embedded Payloads
Canonical reference
https://attack.mitre.org/techniques/T1027/009/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|FileWritten)$/
| case {
    #event_simpleName = /ProcessRollup2/
    | FileName = /(?i)certutil\.exe$/
    | CommandLine = /(?i)-(decode|urlcache)/
    | CommandLine = /(?i)\.(exe|dll|bin|dat|cfg)/
    | DetectionType := "CertutilDecode" ;

    #event_simpleName = /ProcessRollup2/
    | FileName = /(?i)(expand|extrac32|makecab)\.exe$/
    | CommandLine = /(?i)\.(exe|dll|bin)/
    | DetectionType := "ExpandExtract" ;

    #event_simpleName = /FileWritten/
    | TargetFileName = /(?i)\.(exe|dll|bin|shellcode)$/
    | ImageFileName = /(?i)(WINWORD|EXCEL|POWERPNT|AcroRd32|FoxitPDFReader|wscript|cscript|mshta)\.exe$/
    | DetectionType := "OfficeBinaryDrop"
  }
| table(
    [_time, ComputerName, UserName, FileName, CommandLine,
     ImageFileName, TargetFileName, DetectionType]
  )
| sort(field=_time, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) query detecting T1027.009 Embedded Payloads across three branches using a case expression over ProcessRollup2 and FileWritten sensor events: CertutilDecode identifies certutil -decode/-urlcache against binary formats; ExpandExtract flags expand/extrac32/makecab dropping executables; OfficeBinaryDrop detects FileWritten events for executables created by Office, Acrobat, or Windows script host processes. Events not matching any branch are dropped.

Data Sources

CrowdStrike Falcon PlatformCrowdStrike Falcon sensor (EDR telemetry)Falcon Event Stream (ProcessRollup2, FileWritten event types)

Required Tables

Falcon event stream: #event_simpleName ProcessRollup2, SyntheticProcessRollup2, FileWritten

False Positives & Tuning

  • Falcon-monitored endpoints where IT automation invokes certutil.exe for legitimate certificate management operations such as importing root CA certificates or generating PKCS#7 encoded trust bundles with .bin output paths
  • Enterprise software packaging workflows that use makecab.exe or expand.exe as part of MSI bootstrapper or ClickOnce deployment routines, triggering the ExpandExtract branch during sanctioned application rollouts
  • Microsoft Office add-ins or third-party COM objects that write new .dll components to the user profile or program files during plugin update cycles, generating OfficeBinaryDrop telemetry from WINWORD.EXE or EXCEL.EXE
Download portable Sigma rule (.yml)

Other platforms for T1027.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Extract Embedded Payload from PE Overlay with certutil

    Expected signal: Sysmon Event ID 1: certutil.exe with -encode and then -decode arguments. Sysmon Event ID 11: encoded_payload.txt and extracted_payload.exe created in %TEMP%. The -decode operation creates an executable from a text file.

  2. Test 2Office Macro Dropping Embedded Executable

    Expected signal: Sysmon Event ID 1: PowerShell spawning Word COM object. Word process creating a document with VBA code. File creation of macro_test.doc.

  3. Test 3Embed Payload in PE Resources Section

    Expected signal: PowerShell process creation demonstrating the concept. Binary data file creation in %TEMP%.

  4. Test 4Extract Payload from LNK ExtraData Field

    Expected signal: Sysmon Event ID 11: embedded_lnk.lnk created in %TEMP%. Sysmon Event ID 1: cmd.exe spawned from LNK execution with arguments. Sysmon Event ID 11: lnk_output.txt created.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.003SteganographyT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1055Process InjectionT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections