Detectionmediumtest

Setup16.EXE Execution With Custom .Lst File

Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Dec 0199c8be4f-3087-4f9f-9c24-8c7e257b442ewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
        ParentCommandLine|contains: ' -m '
    filter_optional_valid_path:
        Image|startswith: 'C:\~MSSETUP.T\'
    condition: selection and not 1 of filter_optional_*

False Positives

On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.

References

Resolving title…

hexacorn.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1574.005 · Executable Installer File Permissions Weakness

Rule Metadata

Rule ID

99c8be4f-3087-4f9f-9c24-8c7e257b442e

Status

test

Level

medium

Type

Detection

Created

Sun Dec 01

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.005

View on GitHub