Detects the execution of “Setup16.EXE” and old installation utility with a custom “.lst” file. These “.lst” file can contain references to external program that “Setup16.EXE” will execute. Attackers a
title: Setup16.EXE Execution With Custom .Lst File
id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
status: test
description: |
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
references:
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
author: frack113
date: 2024-12-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
ParentCommandLine|contains: ' -m '
filter_optional_valid_path:
Image|startswith: 'C:\~MSSETUP.T\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
level: medium
imProcessCreate
| where ((ParentProcessName =~ "C:\\Windows\\SysWOW64\\setup16.exe" or ActingProcessName =~ "C:\\Windows\\SysWOW64\\setup16.exe") and ActingProcessCommandLine contains " -m ") and (not(TargetProcessName startswith "C:\\~MSSETUP.T\\"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |