T1657 Google Chronicle · YARA-L

Detect Financial Theft in Google Chronicle

This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies.

MITRE ATT&CK

Tactic
Impact
Technique
T1657 Financial Theft
Canonical reference
https://attack.mitre.org/techniques/T1657/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule detection_t1657 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Financial Theft - T1657"
    severity = "HIGH"
    mitre_attack = "T1657"
    reference = "https://attack.mitre.org/techniques/T1657/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript)\.exe$`) and
    re.regex($e.target.process.command_line, `(?i)(-enc|-bypass|invoke-expression)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec)`)

  condition:
    $e
}
high severity medium confidence

Google Chronicle YARA-L 2.0 rule for detecting Financial Theft (T1657). Uses Chronicle UDM event model to identify financial theft behaviors across endpoint and cloud telemetry.

Data Sources

EDR Platform

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
  • IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
  • Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows
Download portable Sigma rule (.yml)

Other platforms for T1657

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cryptocurrency Wallet File Enumeration via PowerShell

    Expected signal: DeviceFileEvents with ActionType=FileAccessed for wallet.dat path; Sysmon EventID 11 (FileCreate) in staging directory; DeviceProcessEvents with powershell.exe CommandLine containing wallet path strings; PowerShell ScriptBlock logs EventID 4104 containing wallet enumeration commands

  2. Test 2BEC Inbox Forwarding Rule Creation via Exchange PowerShell

    Expected signal: O365 Unified Audit Log: Operation=New-InboxRule with Parameters containing ForwardTo and financial keyword conditions; CloudAppEvents table in Sentinel populated within 15-30 minutes of rule creation

  3. Test 3Browser Cryptocurrency Extension Storage Enumeration

    Expected signal: DeviceFileEvents with ActionType=FileAccessed for Chrome extension storage paths (nkbihfbeogaeaoehlefnkodbefgpgknn = MetaMask, hnfanknocfeofbddgcijnmhnfnkdnaad = Coinbase); InitiatingProcessFileName=cmd.exe; Sysmon EventID 1 with CommandLine containing LOCALAPPDATA Chrome Extensions wallet extension IDs

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1657 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1586Compromise AccountsT1656ImpersonationT1486Data Encrypted for ImpactT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1485Data DestructionT1071Application Layer Protocol

Same Tactic: Impact

Popular Detections