Add Suspicius Setup16 Parent

[frack113]

Summary of the Pull Request

setup16.exe as lolbin https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/

Potential Command Line Path Traversal Evasion Attempt cover by Rule_Id 1327381e-6ab0-4f38-b583-4c1b8346a56b

setup16 NEED a .lst file but as I don't know about false positives, I haven't written a rule about creating lst files

Changelog

add: Suspicius Setup16 Parent

Example Log Event

{
  "CommandLine": "C:\\~MSSETUP.T\\foo.t\\..\\..\\..\\windows\\system32\\calc.exe",
  "Company": "Microsoft Corporation",
  "Computer": "Win11",
  "Correlation_ActivityID": "{00000000-0000-0000-0000-000000000000}",
  "Description": "Windows Calculator",
  "DirectoryTableBase": "0x5500C000",
  "EventID": "1",
  "Execution_ProcessID": "4552",
  "Execution_ThreadID": "2716",
  "ExitStatus": "259",
  "FileAge": "890d02h04m58s",
  "FileCreationDate": "2022-05-07T07:20:18",
  "FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
  "Flags": "2",
  "GrandparentCommandLine": "C:\\WINDOWS\\System32\\cmd.exe",
  "GrandparentImage": "C:\\Windows\\System32\\cmd.exe",
  "GrandparentProcessId": "740",
  "Hashes": "MD5=302021D31F2D0BCE01D7AFC26BFE2BA2,SHA1=8A1C6E08700B39C943FFE5521997D36EF60E7786,SHA256=E5C9058319C82EC44BB881FCC84D51D6F9E56CCE2931D5B6F4519157953CF572,IMPHASH=BA072A972FE6C47C8CF7A0347BB0AF7A",
  "Image": "C:\\Windows\\SysWOW64\\calc.exe",
  "ImageFileName": "calc.exe",
  "IntegrityLevel": "High",
  "Keywords": "0x0",
  "Level": "0",
  "Match_Strings": "' -m ' in ParentCommandLine, -QT in ParentCommandLine, C:\\Windows\\SysWOW64\\setup16.exe in ParentImage",
  "Module": "Sigma",
  "Opcode": "1",
  "OriginalFileName": "CALC.EXE",
  "ParentCommandLine": "c:\\windows\\SysWOW64\\setup16.exe  -m c:\\temp\\test2.lst -QT",
  "ParentId": "0x11C8",
  "ParentImage": "C:\\Windows\\SysWOW64\\setup16.exe",
  "ParentProcessId": "4552",
  "ParentUser": "LAB\\admin",
  "ProcessId": "7672",
  "ProcessTree": "C:\\Windows\\explorer.exe|C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.20.11781.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe|C:\\Windows\\System32\\cmd.exe|C:\\Windows\\SysWOW64\\setup16.exe|C:\\Windows\\SysWOW64\\calc.exe",
  "Product": "Microsoft® Windows® Operating System",
  "Provider_Guid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}",
  "Provider_Name": "SystemTraceProvider-Process",
  "Rule_Author": "frack113",
  "Rule_Description": "An adversary may use setup16 as lolbin",
  "Rule_FalsePositives": "Old setup application",
  "Rule_Id": "99c8be4f-3087-4f9f-9c24-8c7e257b442e",
  "Rule_Level": "medium",
  "Rule_Modified": "2024-10-13",
  "Rule_Path": "sigma-rules\\proc_creation_win_susp_setup16.yml",
  "Rule_References": "https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/",
  "Rule_Sigtype": "custom",
  "Rule_Title": "Suspicius Setup16 Parent",
  "SessionId": "1",
  "Task": "0",
  "TimeCreated_SystemTime": "2024-10-13T09:44:59.7504512+02:00",
  "Timestamp": "1975-06-29T10:43:26",
  "UniqueProcessKey": "0xFFFF800EFE9790C0",
  "User": "LAB\\admin",
  "UserSID": "\\\\LAB\\admin",
  "UtcTime": "2024-10-13 07:44:59",
  "Version": "4",
  "Winversion": "22631",
  "aurora_eventid": 1,
  "level": "notice",
  "msg": "Sigma match found",
  "time": "2024-10-13T09:45:01+02:00",
  "_Match": [
    "' -m ' in ParentCommandLine",
    "-QT in ParentCommandLine",
    "C:\\Windows\\SysWOW64\\setup16.exe in ParentImage"
  ],
  "_Description": [
    "An adversary may use setup16 as lolbin"
  ],
  "_Author": "frack113"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions