Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Sigma rule (View on GitHub)
1title: Setup16.EXE Execution With Custom .Lst File
2id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
3status: test
4description: |
5 Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
6 These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
7 Attackers and adversaries might leverage this as a living of the land utility.
8references:
9 - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
10author: frack113
11date: 2024-12-01
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1574.005
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
23 ParentCommandLine|contains: ' -m '
24 filter_optional_valid_path:
25 Image|startswith: 'C:\~MSSETUP.T\'
26 condition: selection and not 1 of filter_optional_*
27falsepositives:
28 - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
29level: medium
References
-
I don’t even know how to start. I wrote about old InstallShield setup before, and today’s topic is very similar – the old, yet still present setup file residing (on Win10, 11) in the following loca...
Read More
Related rules
- HackTool - SharpUp PrivEsc Tool Execution
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation