Techniques
Sample rules
Setup16.EXE Execution With Custom .Lst File
- source: sigma
- technicques:
- t1574
- t1574.005
Description
Detects the execution of “Setup16.EXE” and old installation utility with a custom “.lst” file. These “.lst” file can contain references to external program that “Setup16.EXE” will execute. Attackers and adversaries might leverage this as a living of the land utility.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_valid_path:
Image|startswith: C:\~MSSETUP.T\
selection:
ParentCommandLine|contains: ' -m '
ParentImage: C:\Windows\SysWOW64\setup16.exe