T1657 Financial Theft Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CryptoWalletPaths = dynamic([
    "wallet.dat", "keystore", ".ethereum", ".bitcoin", "electrum",
    "exodus", "metamask", "coinbase", "ledger", "trezor",
    "\\AppData\\Roaming\\Exodus\\", "\\AppData\\Local\\Coinbase\\",
    "\\AppData\\Roaming\\Electrum\\", "\\AppData\\Local\\Google\\Chrome\\User Data\\"
]);
let FinancialDocPaths = dynamic([
    "bank", "invoice", "wire_transfer", "swift", "routing_number",
    "account_number", "tax_return", "payroll", "credit_card"
]);
let SuspiciousTools = dynamic([
    "powershell.exe", "cmd.exe", "python.exe", "python3.exe",
    "node.exe", "wscript.exe", "cscript.exe"
]);
// Crypto wallet file access by suspicious processes
let CryptoWalletAccess = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType in ("FileRead", "FileAccessed", "FileCopied")
| where FileName has_any (CryptoWalletPaths)
    or FolderPath has_any (CryptoWalletPaths)
| where InitiatingProcessFileName in~ (SuspiciousTools)
    or InitiatingProcessParentFileName in~ (SuspiciousTools)
| where not (
    InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
    and FolderPath has "AppData"
)
| extend AlertType = "CryptoWalletAccess"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, InitiatingProcessParentFileName,
    FolderPath, FileName, AlertType;
// Browser extension storage enumeration (MetaMask, Coinbase Wallet, etc.)
let ExtensionEnumeration = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where FolderPath has_all ("Chrome", "Extensions")
    or FolderPath has_all ("Firefox", "extensions")
| where ActionType in ("FileRead", "FileAccessed")
| where FileName in~ ("data", "Local State", "Login Data", "Web Data", "000003.log")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe")
| extend AlertType = "BrowserExtensionEnum"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, InitiatingProcessParentFileName,
    FolderPath, FileName, AlertType;
// Exchange/M365 inbox rule creation for BEC redirection
let BECEmailRules = CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend RuleDetails = tostring(RawEventData.Parameters)
| where RuleDetails has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo", "DeleteMessage")
    and RuleDetails has_any ("invoice", "payment", "wire", "transfer", "bank", "finance",
                              "cfo", "ceo", "accounting", "payroll", "urgent")
| extend AlertType = "BECInboxRule"
| project TimeGenerated, AccountDisplayName, AccountObjectId, IPAddress,
    UserAgent, RuleDetails, AlertType
| extend DeviceName = "", InitiatingProcessCommandLine = "";
// Combine all signals
union CryptoWalletAccess, ExtensionEnumeration,
    (BECEmailRules | project TimeGenerated, DeviceName, AccountName = AccountDisplayName,
        InitiatingProcessFileName = UserAgent, InitiatingProcessCommandLine,
        InitiatingProcessParentFileName = "", FolderPath = "", FileName = RuleDetails, AlertType)
| summarize AlertCount = count(), AlertTypes = make_set(AlertType),
    FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
       bin(TimeGenerated, 5m)
| extend RiskScore = case(
    array_length(AlertTypes) > 1, "Critical",
    AlertTypes has "BECInboxRule", "High",
    AlertTypes has "CryptoWalletAccess", "High",
    "Medium"
)
| where RiskScore in ("Critical", "High", "Medium")
| sort by RiskScore asc, FirstSeen desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Microsoft 365 Defender

Required Tables

DeviceFileEvents CloudAppEvents

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows
Password manager applications (1Password, Bitwarden, LastPass) accessing browser extension storage during sync operations
Antivirus or EDR scanning engines performing file access on wallet directories during scheduled scans

Splunk

spl

| multisearch
    [search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
     (TargetFilename="*wallet.dat*" OR TargetFilename="*\\Exodus\\*" OR TargetFilename="*\\Electrum\\*"
      OR TargetFilename="*\\Ethereum\\keystore\\*" OR TargetFilename="*MetaMask*"
      OR TargetFilename="*\\Coinbase\\*" OR TargetFilename="*\\AppData\\*\\Extensions\\*")
     NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
          OR Image="*\\brave.exe" OR Image="*\\Exodus.exe" OR Image="*\\Electrum.exe")
     | eval alert_type="CryptoWalletFileCreate", risk_score=80
     | fields _time, host, User, Image, TargetFilename, alert_type, risk_score]
    [search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (CommandLine="*wallet.dat*" OR CommandLine="*keystore*" OR CommandLine="*exodus*"
      OR CommandLine="*metamask*" OR CommandLine="*.ethereum*" OR CommandLine="*seed phrase*"
      OR CommandLine="*mnemonic*" OR CommandLine="*private_key*" OR CommandLine="*crypto*wallet*")
     | eval alert_type="CryptoWalletProcessCmd", risk_score=85
     | fields _time, host, User, Image, CommandLine, ParentImage, alert_type, risk_score]
    [search index=windows sourcetype="WinEventLog:Security" EventCode=4663
     (ObjectName="*\\wallet.dat" OR ObjectName="*\\Exodus\\*" OR ObjectName="*\\Electrum\\*"
      OR ObjectName="*\\Ethereum\\keystore\\*")
     | eval alert_type="CryptoWalletObjAccess", risk_score=75
     | fields _time, host, SubjectUserName, ProcessName, ObjectName, alert_type, risk_score
     | rename SubjectUserName as User, ProcessName as Image, ObjectName as TargetFilename]
    [search index=o365 sourcetype="o365:management:activity"
     (Operation="New-InboxRule" OR Operation="Set-InboxRule" OR Operation="UpdateInboxRules")
     | spath input=Parameters output=params_str
     | search params_str IN ("*ForwardTo*", "*RedirectTo*", "*ForwardAsAttachmentTo*")
     | search params_str IN ("*invoice*", "*payment*", "*wire*", "*transfer*", "*bank*", "*cfo*", "*ceo*", "*payroll*")
     | eval alert_type="BECInboxRule", risk_score=90
     | fields _time, host, UserId, ClientIP, params_str, alert_type, risk_score
     | rename UserId as User, params_str as TargetFilename, ClientIP as Image]
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S")
| bin _time span=10m
| stats count as event_count, values(alert_type) as alert_types,
    max(risk_score) as max_risk, min(_time) as first_seen, max(_time) as last_seen,
    values(TargetFilename) as targets, values(Image) as processes
    by _time, host, User
| eval distinct_alert_types=mvcount(alert_types)
| eval final_risk=case(
    distinct_alert_types >= 2, "Critical",
    max_risk >= 85, "High",
    max_risk >= 70, "Medium",
    true(), "Low"
)
| where final_risk IN ("Critical", "High", "Medium")
| table _time, host, User, alert_types, event_count, final_risk, first_seen, last_seen, targets, processes
| sort - final_risk, - event_count

high severity medium confidence

Data Sources

Sysmon Windows Security Logs Microsoft 365 Audit Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security o365:management:activity

False Positives

Legitimate cryptocurrency wallet backup scripts run by users to back up wallet.dat to external storage
IT asset management tools enumerating installed applications including crypto wallet software directories
Finance department email rules created by administrators for legitimate invoice processing workflows
Security tools performing file integrity monitoring on user application directories
Automated tax reporting tools that read crypto wallet transaction history for annual reporting

Elastic Security (EQL)

eql

file where event.type in ("creation", "change") and (
  file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*") and
  file.extension in ("exe", "dll", "bat", "ps1", "vbs", "hta", "js")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.file-*

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows

Sumo Logic CSE

sql

_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/* OR _sourceCategory=endpoint/*

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows

Google Chronicle / SecOps

yaral

rule detection_t1657 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Financial Theft - T1657"
    severity = "HIGH"
    mitre_attack = "T1657"
    reference = "https://attack.mitre.org/techniques/T1657/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript)\.exe$`) and
    re.regex($e.target.process.command_line, `(?i)(-enc|-bypass|invoke-expression)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

EDR Platform

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| CommandLine = /(?i)(-enc|-bypass|invoke-expression)/
| case {
    CommandLine = /(?i)-enc/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    * | DetectionType := "SuspiciousExecution"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, ProcessId])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2

False Positives

Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows

Financial Theft

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections