title: Financial Theft (T1657) id: df00tech-t1657 status: experimental description: "This detection identifies behaviors associated with adversary financial theft operations including cryptocurrency wallet credential harvesting, business email compromise (BEC) infrastructure setup, ransomware extortion precursors, and unauthorized access to financial application data. The detection covers multiple attack vectors: process-level access to browser-stored cryptocurrency wallet extensions and keystore files, suspicious inbox rule creation indicative of BEC email redirection, mass file enumeration of financial document paths, and execution of known financial theft malware behaviors such as those exhibited by InvisibleFerret and BeaverTail. Detection logic correlates file access events against high-value financial paths (wallet.dat, MetaMask/Exodus/Coinbase browser extension storage, banking application credential stores) with suspicious process ancestry and user context anomalies." references: - https://attack.mitre.org/techniques/T1657/ - https://df00tech.com/detections/T1657 author: df00tech date: 2026/03/20 tags: - attack.t1657 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: azure detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate cryptocurrency portfolio management tools (CryptoCompare, Koinly, CoinTracking) reading wallet files for tax/portfolio reporting" - "IT backup software (Veeam, Acronis, Windows Backup) scanning AppData directories including wallet application folders" - Finance team members creating legitimate email forwarding rules for invoice or payment notification workflows - "Password manager applications (1Password, Bitwarden, LastPass) accessing browser extension storage during sync operations" - Antivirus or EDR scanning engines performing file access on wallet directories during scheduled scans level: high