Detect Financial Theft in Microsoft Sentinel
This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1657 Financial Theft
- Canonical reference
- https://attack.mitre.org/techniques/T1657/
KQL Detection Query
let CryptoWalletPaths = dynamic([
"wallet.dat", "keystore", ".ethereum", ".bitcoin", "electrum",
"exodus", "metamask", "coinbase", "ledger", "trezor",
"\\AppData\\Roaming\\Exodus\\", "\\AppData\\Local\\Coinbase\\",
"\\AppData\\Roaming\\Electrum\\", "\\AppData\\Local\\Google\\Chrome\\User Data\\"
]);
let FinancialDocPaths = dynamic([
"bank", "invoice", "wire_transfer", "swift", "routing_number",
"account_number", "tax_return", "payroll", "credit_card"
]);
let SuspiciousTools = dynamic([
"powershell.exe", "cmd.exe", "python.exe", "python3.exe",
"node.exe", "wscript.exe", "cscript.exe"
]);
// Crypto wallet file access by suspicious processes
let CryptoWalletAccess = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType in ("FileRead", "FileAccessed", "FileCopied")
| where FileName has_any (CryptoWalletPaths)
or FolderPath has_any (CryptoWalletPaths)
| where InitiatingProcessFileName in~ (SuspiciousTools)
or InitiatingProcessParentFileName in~ (SuspiciousTools)
| where not (
InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
and FolderPath has "AppData"
)
| extend AlertType = "CryptoWalletAccess"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessParentFileName,
FolderPath, FileName, AlertType;
// Browser extension storage enumeration (MetaMask, Coinbase Wallet, etc.)
let ExtensionEnumeration = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where FolderPath has_all ("Chrome", "Extensions")
or FolderPath has_all ("Firefox", "extensions")
| where ActionType in ("FileRead", "FileAccessed")
| where FileName in~ ("data", "Local State", "Login Data", "Web Data", "000003.log")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe")
| extend AlertType = "BrowserExtensionEnum"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessParentFileName,
FolderPath, FileName, AlertType;
// Exchange/M365 inbox rule creation for BEC redirection
let BECEmailRules = CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend RuleDetails = tostring(RawEventData.Parameters)
| where RuleDetails has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo", "DeleteMessage")
and RuleDetails has_any ("invoice", "payment", "wire", "transfer", "bank", "finance",
"cfo", "ceo", "accounting", "payroll", "urgent")
| extend AlertType = "BECInboxRule"
| project TimeGenerated, AccountDisplayName, AccountObjectId, IPAddress,
UserAgent, RuleDetails, AlertType
| extend DeviceName = "", InitiatingProcessCommandLine = "";
// Combine all signals
union CryptoWalletAccess, ExtensionEnumeration,
(BECEmailRules | project TimeGenerated, DeviceName, AccountName = AccountDisplayName,
InitiatingProcessFileName = UserAgent, InitiatingProcessCommandLine,
InitiatingProcessParentFileName = "", FolderPath = "", FileName = RuleDetails, AlertType)
| summarize AlertCount = count(), AlertTypes = make_set(AlertType),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
bin(TimeGenerated, 5m)
| extend RiskScore = case(
array_length(AlertTypes) > 1, "Critical",
AlertTypes has "BECInboxRule", "High",
AlertTypes has "CryptoWalletAccess", "High",
"Medium"
)
| where RiskScore in ("Critical", "High", "Medium")
| sort by RiskScore asc, FirstSeen descDetects financial theft behaviors across three vectors: (1) suspicious process access to cryptocurrency wallet files and directories (wallet.dat, Exodus/MetaMask/Coinbase app data), (2) non-browser processes reading browser extension storage that hosts crypto wallet extensions, and (3) Exchange/M365 inbox rule creation with financial keywords suggesting BEC email redirection setup. Results are correlated by account and device, scored by multi-signal presence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
- IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
- Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows
- Password manager applications (1Password, Bitwarden, LastPass) accessing browser extension storage during sync operations
- Antivirus or EDR scanning engines performing file access on wallet directories during scheduled scans
Other platforms for T1657
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cryptocurrency Wallet File Enumeration via PowerShell
Expected signal: DeviceFileEvents with ActionType=FileAccessed for wallet.dat path; Sysmon EventID 11 (FileCreate) in staging directory; DeviceProcessEvents with powershell.exe CommandLine containing wallet path strings; PowerShell ScriptBlock logs EventID 4104 containing wallet enumeration commands
- Test 2BEC Inbox Forwarding Rule Creation via Exchange PowerShell
Expected signal: O365 Unified Audit Log: Operation=New-InboxRule with Parameters containing ForwardTo and financial keyword conditions; CloudAppEvents table in Sentinel populated within 15-30 minutes of rule creation
- Test 3Browser Cryptocurrency Extension Storage Enumeration
Expected signal: DeviceFileEvents with ActionType=FileAccessed for Chrome extension storage paths (nkbihfbeogaeaoehlefnkodbefgpgknn = MetaMask, hnfanknocfeofbddgcijnmhnfnkdnaad = Coinbase); InitiatingProcessFileName=cmd.exe; Sysmon EventID 1 with CommandLine containing LOCALAPPDATA Chrome Extensions wallet extension IDs
References (7)
- https://attack.mitre.org/techniques/T1657/
- https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware
- https://www.mandiant.com/resources/blog/data-theft-extortion-ransomware
- https://www.esentire.com/blog/contagious-interview-attack-campaign-update
- https://www.justice.gov/opa/pr/north-korean-hackers-charged-crypto-theft
- https://www.crowdstrike.com/blog/double-extortion-ransomware-leak-sites/
Unlock Pro Content
Get the full detection package for T1657 including response playbook, investigation guide, and atomic red team tests.