T1657 Splunk · SPL

Detect Financial Theft in Splunk

This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies.

MITRE ATT&CK

Tactic
Impact
Technique
T1657 Financial Theft
Canonical reference
https://attack.mitre.org/techniques/T1657/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
    [search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
     (TargetFilename="*wallet.dat*" OR TargetFilename="*\\Exodus\\*" OR TargetFilename="*\\Electrum\\*"
      OR TargetFilename="*\\Ethereum\\keystore\\*" OR TargetFilename="*MetaMask*"
      OR TargetFilename="*\\Coinbase\\*" OR TargetFilename="*\\AppData\\*\\Extensions\\*")
     NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
          OR Image="*\\brave.exe" OR Image="*\\Exodus.exe" OR Image="*\\Electrum.exe")
     | eval alert_type="CryptoWalletFileCreate", risk_score=80
     | fields _time, host, User, Image, TargetFilename, alert_type, risk_score]
    [search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (CommandLine="*wallet.dat*" OR CommandLine="*keystore*" OR CommandLine="*exodus*"
      OR CommandLine="*metamask*" OR CommandLine="*.ethereum*" OR CommandLine="*seed phrase*"
      OR CommandLine="*mnemonic*" OR CommandLine="*private_key*" OR CommandLine="*crypto*wallet*")
     | eval alert_type="CryptoWalletProcessCmd", risk_score=85
     | fields _time, host, User, Image, CommandLine, ParentImage, alert_type, risk_score]
    [search index=windows sourcetype="WinEventLog:Security" EventCode=4663
     (ObjectName="*\\wallet.dat" OR ObjectName="*\\Exodus\\*" OR ObjectName="*\\Electrum\\*"
      OR ObjectName="*\\Ethereum\\keystore\\*")
     | eval alert_type="CryptoWalletObjAccess", risk_score=75
     | fields _time, host, SubjectUserName, ProcessName, ObjectName, alert_type, risk_score
     | rename SubjectUserName as User, ProcessName as Image, ObjectName as TargetFilename]
    [search index=o365 sourcetype="o365:management:activity"
     (Operation="New-InboxRule" OR Operation="Set-InboxRule" OR Operation="UpdateInboxRules")
     | spath input=Parameters output=params_str
     | search params_str IN ("*ForwardTo*", "*RedirectTo*", "*ForwardAsAttachmentTo*")
     | search params_str IN ("*invoice*", "*payment*", "*wire*", "*transfer*", "*bank*", "*cfo*", "*ceo*", "*payroll*")
     | eval alert_type="BECInboxRule", risk_score=90
     | fields _time, host, UserId, ClientIP, params_str, alert_type, risk_score
     | rename UserId as User, params_str as TargetFilename, ClientIP as Image]
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S")
| bin _time span=10m
| stats count as event_count, values(alert_type) as alert_types,
    max(risk_score) as max_risk, min(_time) as first_seen, max(_time) as last_seen,
    values(TargetFilename) as targets, values(Image) as processes
    by _time, host, User
| eval distinct_alert_types=mvcount(alert_types)
| eval final_risk=case(
    distinct_alert_types >= 2, "Critical",
    max_risk >= 85, "High",
    max_risk >= 70, "Medium",
    true(), "Low"
)
| where final_risk IN ("Critical", "High", "Medium")
| table _time, host, User, alert_types, event_count, final_risk, first_seen, last_seen, targets, processes
| sort - final_risk, - event_count
high severity medium confidence

Detects financial theft indicators across three data sources: Sysmon EventCode 11 (file creation) and EventCode 1 (process creation) for cryptocurrency wallet file access by non-wallet processes, Windows Security EventCode 4663 (object access) for direct wallet file reads, and O365 audit logs for BEC-related inbox rule creation with financial keywords. Results are correlated by host and user across 10-minute windows with multi-signal risk scoring.

Data Sources

SysmonWindows Security LogsMicrosoft 365 Audit Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Securityo365:management:activity

False Positives & Tuning

  • Legitimate cryptocurrency wallet backup scripts run by users to back up wallet.dat to external storage
  • IT asset management tools enumerating installed applications including crypto wallet software directories
  • Finance department email rules created by administrators for legitimate invoice processing workflows
  • Security tools performing file integrity monitoring on user application directories
  • Automated tax reporting tools that read crypto wallet transaction history for annual reporting
Download portable Sigma rule (.yml)

Other platforms for T1657

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cryptocurrency Wallet File Enumeration via PowerShell

    Expected signal: DeviceFileEvents with ActionType=FileAccessed for wallet.dat path; Sysmon EventID 11 (FileCreate) in staging directory; DeviceProcessEvents with powershell.exe CommandLine containing wallet path strings; PowerShell ScriptBlock logs EventID 4104 containing wallet enumeration commands

  2. Test 2BEC Inbox Forwarding Rule Creation via Exchange PowerShell

    Expected signal: O365 Unified Audit Log: Operation=New-InboxRule with Parameters containing ForwardTo and financial keyword conditions; CloudAppEvents table in Sentinel populated within 15-30 minutes of rule creation

  3. Test 3Browser Cryptocurrency Extension Storage Enumeration

    Expected signal: DeviceFileEvents with ActionType=FileAccessed for Chrome extension storage paths (nkbihfbeogaeaoehlefnkodbefgpgknn = MetaMask, hnfanknocfeofbddgcijnmhnfnkdnaad = Coinbase); InitiatingProcessFileName=cmd.exe; Sysmon EventID 1 with CommandLine containing LOCALAPPDATA Chrome Extensions wallet extension IDs

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1657 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1586Compromise AccountsT1656ImpersonationT1486Data Encrypted for ImpactT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1485Data DestructionT1071Application Layer Protocol

Same Tactic: Impact

Popular Detections