Detect Embedded Payloads in IBM QRadar
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. Adversaries have been observed embedding payloads as PE overlays, within resource sections of legitimate binaries, inside LNK file ExtraData fields, within Office VBA macros, and nested inside other file types. Notable examples include Emotet embedding executables in dropper binaries, DEADEYE embedding payloads in compiled binaries, Lazarus Group distributing malicious payloads in PNG files, Pikabot loading encrypted chunked PE sections, and Uroburos storing executable payloads in encrypted Queue files.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.009 Embedded Payloads
- Canonical reference
- https://attack.mitre.org/techniques/T1027/009/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
sourceip AS "Source IP",
username AS "Username",
"Process Name",
"Command Line",
"Target File Name",
QIDNAME(qid) AS "QID Name",
LOGSOURCETYPENAME(logsourceid) AS "Log Source Type"
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN (
'Microsoft Windows Security Event Log',
'Microsoft Sysmon'
)
AND (
(
(
QIDNAME(qid) ILIKE '%Process Create%'
OR CATEGORYNAME(category) ILIKE '%process%'
)
AND (
(
"Process Name" ILIKE '%certutil.exe'
AND (
"Command Line" ILIKE '%-decode%'
OR "Command Line" ILIKE '%-urlcache%'
)
AND (
"Command Line" ILIKE '%.exe%'
OR "Command Line" ILIKE '%.dll%'
OR "Command Line" ILIKE '%.bin%'
OR "Command Line" ILIKE '%.dat%'
)
)
OR (
(
"Process Name" ILIKE '%expand.exe'
OR "Process Name" ILIKE '%extrac32.exe'
OR "Process Name" ILIKE '%makecab.exe'
)
AND (
"Command Line" ILIKE '%.exe%'
OR "Command Line" ILIKE '%.dll%'
OR "Command Line" ILIKE '%.bin%'
)
)
)
)
OR (
QIDNAME(qid) ILIKE '%File Create%'
AND (
"Target File Name" ILIKE '%.exe'
OR "Target File Name" ILIKE '%.dll'
OR "Target File Name" ILIKE '%.bin'
OR "Target File Name" ILIKE '%.shellcode'
)
AND (
"Process Name" ILIKE '%WINWORD.EXE'
OR "Process Name" ILIKE '%EXCEL.EXE'
OR "Process Name" ILIKE '%POWERPNT.EXE'
OR "Process Name" ILIKE '%AcroRd32.exe'
OR "Process Name" ILIKE '%FoxitPDFReader.exe'
OR "Process Name" ILIKE '%wscript.exe'
OR "Process Name" ILIKE '%cscript.exe'
OR "Process Name" ILIKE '%mshta.exe'
)
)
)
LAST 24 HOURS
ORDER BY devicetime DESCQRadar AQL query detecting T1027.009 Embedded Payloads by correlating Windows Security Event Log and Sysmon DSM-parsed events. Identifies certutil -decode/-urlcache invocations targeting binary formats and Sysmon FileCreate events where a document application or script host writes an executable to disk. Custom properties 'Process Name', 'Command Line', and 'Target File Name' must be extracted via your Sysmon DSM configuration.
Data Sources
Required Tables
False Positives & Tuning
- PKI administrators and certificate lifecycle management automation using certutil.exe for legitimate base64 decode, CRL distribution point downloads, or PKCS#12 bundle generation where output file extensions match .bin or .dat
- Managed endpoint deployment pipelines (BigFix, Tanium, SCCM) that invoke expand.exe or extrac32.exe to extract cabinet-packaged installer components as part of sanctioned software distribution workflows
- Document digitization or DLP inspection tools that temporarily write executable helper components to disk from within Office or Acrobat process contexts during content transformation pipelines
Other platforms for T1027.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Embedded Payload from PE Overlay with certutil
Expected signal: Sysmon Event ID 1: certutil.exe with -encode and then -decode arguments. Sysmon Event ID 11: encoded_payload.txt and extracted_payload.exe created in %TEMP%. The -decode operation creates an executable from a text file.
- Test 2Office Macro Dropping Embedded Executable
Expected signal: Sysmon Event ID 1: PowerShell spawning Word COM object. Word process creating a document with VBA code. File creation of macro_test.doc.
- Test 3Embed Payload in PE Resources Section
Expected signal: PowerShell process creation demonstrating the concept. Binary data file creation in %TEMP%.
- Test 4Extract Payload from LNK ExtraData Field
Expected signal: Sysmon Event ID 11: embedded_lnk.lnk created in %TEMP%. Sysmon Event ID 1: cmd.exe spawned from LNK execution with arguments. Sysmon Event ID 11: lnk_output.txt created.
References (5)
- https://attack.mitre.org/techniques/T1027/009/
- https://github.com/peewpw/Invoke-PSImage
- https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.009/T1027.009.md
Unlock Pro Content
Get the full detection package for T1027.009 including response playbook, investigation guide, and atomic red team tests.