Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Sigma rule (View on GitHub)
1title: Setup16.EXE Execution With Custom .Lst File
2id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
3status: experimental
4description: |
5 Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
6 These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
7 Attackers and adversaries might leverage this as a living of the land utility.
8references:
9 - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
10author: frack113
11date: 2024-12-01
12tags:
13 - attack.defense-evasion
14 - attack.t1574.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
21 ParentCommandLine|contains: ' -m '
22 filter_optional_valid_path:
23 Image|startswith: 'C:\~MSSETUP.T\'
24 condition: selection and not 1 of filter_optional_*
25falsepositives:
26 - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
27level: medium
References
-
I don’t even know how to start. I wrote about old InstallShield setup before, and today’s topic is very similar – the old, yet still present setup file residing (on Win10, 11) in the following loca...
Read More
Related rules
- Suspicious ShellExec_RunDLL Call Via Ordinal
- Suspicious Usage Of ShellExec_RunDLL
- All Rules Have Been Deleted From The Windows Firewall Configuration
- CodePage Modification Via MODE.COM To Russian Language
- GCP Break-glass Container Workload Deployed