Detect Financial Theft in Sumo Logic CSE
This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1657 Financial Theft
- Canonical reference
- https://attack.mitre.org/techniques/T1657/
Sumo Detection Query
_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_scoreSumo Logic detection for Financial Theft (T1657). Identifies adversary financial theft behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting
- IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders
- Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows
Other platforms for T1657
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cryptocurrency Wallet File Enumeration via PowerShell
Expected signal: DeviceFileEvents with ActionType=FileAccessed for wallet.dat path; Sysmon EventID 11 (FileCreate) in staging directory; DeviceProcessEvents with powershell.exe CommandLine containing wallet path strings; PowerShell ScriptBlock logs EventID 4104 containing wallet enumeration commands
- Test 2BEC Inbox Forwarding Rule Creation via Exchange PowerShell
Expected signal: O365 Unified Audit Log: Operation=New-InboxRule with Parameters containing ForwardTo and financial keyword conditions; CloudAppEvents table in Sentinel populated within 15-30 minutes of rule creation
- Test 3Browser Cryptocurrency Extension Storage Enumeration
Expected signal: DeviceFileEvents with ActionType=FileAccessed for Chrome extension storage paths (nkbihfbeogaeaoehlefnkodbefgpgknn = MetaMask, hnfanknocfeofbddgcijnmhnfnkdnaad = Coinbase); InitiatingProcessFileName=cmd.exe; Sysmon EventID 1 with CommandLine containing LOCALAPPDATA Chrome Extensions wallet extension IDs
References (7)
- https://attack.mitre.org/techniques/T1657/
- https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware
- https://www.mandiant.com/resources/blog/data-theft-extortion-ransomware
- https://www.esentire.com/blog/contagious-interview-attack-campaign-update
- https://www.justice.gov/opa/pr/north-korean-hackers-charged-crypto-theft
- https://www.crowdstrike.com/blog/double-extortion-ransomware-leak-sites/
Unlock Pro Content
Get the full detection package for T1657 including response playbook, investigation guide, and atomic red team tests.