From 6e71f6ad5ef50a725a3670958da7054578e422b6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 1 Dec 2024 17:35:53 +0100 Subject: [PATCH] Merge PR #5046 from @frack113 - Add `Setup16.EXE Execution With Custom .Lst File` new: Setup16.EXE Execution With Custom .Lst File --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ation_win_setup16_custom_lst_execution.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml new file mode 100644 index 00000000000..59562675d67 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml @@ -0,0 +1,27 @@ +title: Setup16.EXE Execution With Custom .Lst File +id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e +status: experimental +description: | + Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. + These ".lst" file can contain references to external program that "Setup16.EXE" will execute. + Attackers and adversaries might leverage this as a living of the land utility. +references: + - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ +author: frack113 +date: 2024-12-01 +tags: + - attack.defense-evasion + - attack.t1574.005 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: 'C:\Windows\SysWOW64\setup16.exe' + ParentCommandLine|contains: ' -m ' + filter_optional_valid_path: + Image|startswith: 'C:\~MSSETUP.T\' + condition: selection and not 1 of filter_optional_* +falsepositives: + - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. +level: medium