Title:Setup16.EXE Execution With Custom .Lst File Status:experimental Description:Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
References: -https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ Author: frack113 Date: 2024-12-01 modified:None Tags:
-'attack.defense-evasion'
-'attack.t1574.005'
Logsource:
category: process_creation
product: windows
Detection: selection: ParentImage:
'C:\Windows\SysWOW64\setup16.exe' ParentCommandLine|contains:
' -m ' filter_optional_valid_path: Image|startswith:
'C:\~MSSETUP.T\' condition:selection and not 1 of filter_optional_* Falsepositives:
-On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. Level:medium
