Setup16.EXE Execution With Custom .Lst File

Rule Info

Name
Setup16.EXE Execution With Custom .Lst File
Author
frack113
Description
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Reference
https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
Date
2024-12-01 00:00:00
Modified
None
Id
99c8be4f-3087-4f9f-9c24-8c7e257b442e
Tags
attack.privilege-escalation attack.persistence attack.defense-evasion attack.t1574.005
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=99c8be4f-3087-4f9f-9c24-8c7e257b442e

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
github-actions[bot]
Merge PR #5666 from @nasbench - chore: promote older rules status from `experimental` to `test`
2025-10-01
8af85d021
frack113
Merge PR #5046 from @frack113 - Add `Setup16.EXE Execution With Custom .Lst File`
2024-12-01
6e71f6ad5
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022