← Back to Explore
sigmamediumHunting
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Detection Query
selection:
ParentImage: C:\Windows\SysWOW64\setup16.exe
ParentCommandLine|contains: " -m "
filter_optional_valid_path:
Image|startswith: C:\~MSSETUP.T\
condition: selection and not 1 of filter_optional_*
Author
frack113
Created
2024-12-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.005
Raw Content
title: Setup16.EXE Execution With Custom .Lst File
id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
status: test
description: |
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
references:
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
author: frack113
date: 2024-12-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
ParentCommandLine|contains: ' -m '
filter_optional_valid_path:
Image|startswith: 'C:\~MSSETUP.T\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
level: medium