Detect Embedded Payloads in Sumo Logic CSE
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. Adversaries have been observed embedding payloads as PE overlays, within resource sections of legitimate binaries, inside LNK file ExtraData fields, within Office VBA macros, and nested inside other file types. Notable examples include Emotet embedding executables in dropper binaries, DEADEYE embedding payloads in compiled binaries, Lazarus Group distributing malicious payloads in PNG files, Pikabot loading encrypted chunked PE sections, and Uroburos storing executable payloads in encrypted Queue files.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.009 Embedded Payloads
- Canonical reference
- https://attack.mitre.org/techniques/T1027/009/
Sumo Detection Query
_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11)
| parse field=EventData "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=EventData "<Data Name='User'>*</Data>" as User nodrop
| where (
(
EventCode = "1"
and Image matches "(?i).*certutil\.exe$"
and (
CommandLine matches "(?i).*-decode.*"
or CommandLine matches "(?i).*-urlcache.*"
)
and (
CommandLine matches "(?i).*\.exe.*"
or CommandLine matches "(?i).*\.dll.*"
or CommandLine matches "(?i).*\.bin.*"
or CommandLine matches "(?i).*\.dat.*"
)
)
or (
EventCode = "1"
and (
Image matches "(?i).*expand\.exe$"
or Image matches "(?i).*extrac32\.exe$"
or Image matches "(?i).*makecab\.exe$"
)
and (
CommandLine matches "(?i).*\.exe.*"
or CommandLine matches "(?i).*\.dll.*"
or CommandLine matches "(?i).*\.bin.*"
)
)
or (
EventCode = "11"
and (
TargetFilename matches "(?i).*\.exe$"
or TargetFilename matches "(?i).*\.dll$"
or TargetFilename matches "(?i).*\.bin$"
or TargetFilename matches "(?i).*\.shellcode$"
)
and Image matches "(?i).*(WINWORD|EXCEL|POWERPNT|AcroRd32|FoxitPDFReader|wscript|cscript|mshta)\.exe$"
)
)
| if (EventCode = "1" and Image matches "(?i).*certutil.*", "certutil_decode",
if (EventCode = "1", "expand_extract", "office_binary_drop")) as ThreatPattern
| if (EventCode = "1", "Process Execution", "File Creation") as EventType
| fields _time, Computer, User, Image, CommandLine, TargetFilename, EventType, ThreatPattern
| sort by _time descSumo Logic query detecting T1027.009 Embedded Payloads by parsing Sysmon EventCode 1 (Process Create) and EventCode 11 (File Create) XML fields inline. Identifies certutil -decode/-urlcache targeting binary formats, expand/extrac32 dropping executables, and binaries written to disk by Office applications or Windows script hosts. Adjust _sourceCategory to match your Sumo Logic collector source path.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise PKI management scripts that invoke certutil.exe against .bin or .dat encoded certificate payloads during automated certificate rotation or trust anchor updates
- Office-integrated Robotic Process Automation (RPA) tools such as UiPath or Automation Anywhere that write helper .exe or .dll components from within WINWORD or EXCEL process context during workflow agent initialization
- Anti-malware or EDR product update agents that extract .exe or .dll payload components from within wscript.exe or cscript.exe contexts as part of a scripted signature or definition update routine
Other platforms for T1027.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Embedded Payload from PE Overlay with certutil
Expected signal: Sysmon Event ID 1: certutil.exe with -encode and then -decode arguments. Sysmon Event ID 11: encoded_payload.txt and extracted_payload.exe created in %TEMP%. The -decode operation creates an executable from a text file.
- Test 2Office Macro Dropping Embedded Executable
Expected signal: Sysmon Event ID 1: PowerShell spawning Word COM object. Word process creating a document with VBA code. File creation of macro_test.doc.
- Test 3Embed Payload in PE Resources Section
Expected signal: PowerShell process creation demonstrating the concept. Binary data file creation in %TEMP%.
- Test 4Extract Payload from LNK ExtraData Field
Expected signal: Sysmon Event ID 11: embedded_lnk.lnk created in %TEMP%. Sysmon Event ID 1: cmd.exe spawned from LNK execution with arguments. Sysmon Event ID 11: lnk_output.txt created.
References (5)
- https://attack.mitre.org/techniques/T1027/009/
- https://github.com/peewpw/Invoke-PSImage
- https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.009/T1027.009.md
Unlock Pro Content
Get the full detection package for T1027.009 including response playbook, investigation guide, and atomic red team tests.