Detect Financial Theft in IBM QRadar
This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1657 Financial Theft
- Canonical reference
- https://attack.mitre.org/techniques/T1657/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
"username" AS AccountName,
sourceip AS SourceIP,
"CommandLine" AS CommandLine,
CASE
WHEN "CommandLine" ILIKE '%bypass%' THEN 85
WHEN "CommandLine" ILIKE '%-enc%' THEN 80
ELSE 60
END AS RiskScore
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
AND eventid IN (4688, 1)
AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURSIBM QRadar AQL detection for Financial Theft (T1657). Queries QRadar event pipeline for indicators consistent with financial theft adversary techniques using MITRE ATT&CK-aligned event categorization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
- IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
- Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows
Other platforms for T1657
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cryptocurrency Wallet File Enumeration via PowerShell
Expected signal: DeviceFileEvents with ActionType=FileAccessed for wallet.dat path; Sysmon EventID 11 (FileCreate) in staging directory; DeviceProcessEvents with powershell.exe CommandLine containing wallet path strings; PowerShell ScriptBlock logs EventID 4104 containing wallet enumeration commands
- Test 2BEC Inbox Forwarding Rule Creation via Exchange PowerShell
Expected signal: O365 Unified Audit Log: Operation=New-InboxRule with Parameters containing ForwardTo and financial keyword conditions; CloudAppEvents table in Sentinel populated within 15-30 minutes of rule creation
- Test 3Browser Cryptocurrency Extension Storage Enumeration
Expected signal: DeviceFileEvents with ActionType=FileAccessed for Chrome extension storage paths (nkbihfbeogaeaoehlefnkodbefgpgknn = MetaMask, hnfanknocfeofbddgcijnmhnfnkdnaad = Coinbase); InitiatingProcessFileName=cmd.exe; Sysmon EventID 1 with CommandLine containing LOCALAPPDATA Chrome Extensions wallet extension IDs
References (7)
- https://attack.mitre.org/techniques/T1657/
- https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware
- https://www.mandiant.com/resources/blog/data-theft-extortion-ransomware
- https://www.esentire.com/blog/contagious-interview-attack-campaign-update
- https://www.justice.gov/opa/pr/north-korean-hackers-charged-crypto-theft
- https://www.crowdstrike.com/blog/double-extortion-ransomware-leak-sites/
Unlock Pro Content
Get the full detection package for T1657 including response playbook, investigation guide, and atomic red team tests.