Uncommon applications accessing cryptocurrency wallet files may indicate an adversary attempting to exfiltrate sensitive cryptographic credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential wallet-stealing activities early.
Detection Rule
title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
- FileName|contains:
- '\AppData\Roaming\Ethereum\keystore\'
- '\AppData\Roaming\EthereumClassic\keystore\'
- '\AppData\Roaming\monero\wallets\'
- FileName|endswith:
- '\AppData\Roaming\Bitcoin\wallet.dat'
- '\AppData\Roaming\BitcoinABC\wallet.dat'
- '\AppData\Roaming\BitcoinSV\wallet.dat'
- '\AppData\Roaming\DashCore\wallet.dat'
- '\AppData\Roaming\DogeCoin\wallet.dat'
- '\AppData\Roaming\Litecoin\wallet.dat'
- '\AppData\Roaming\Ripple\wallet.dat'
- '\AppData\Roaming\Zcash\wallet.dat'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: medium
imFileEvent
| where ((FileName contains "\\AppData\\Roaming\\Ethereum\\keystore\\" or FileName contains "\\AppData\\Roaming\\EthereumClassic\\keystore\\" or FileName contains "\\AppData\\Roaming\\monero\\wallets\\") or (FileName endswith "\\AppData\\Roaming\\Bitcoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinABC\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinSV\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DashCore\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DogeCoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Litecoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Ripple\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Zcash\\wallet.dat")) and (not((TargetFilePath =~ "System" or (TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Windows\\system32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\")))) and (not((TargetFilePath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\" and (TargetFilePath endswith "\\MpCopyAccelerator.exe" or TargetFilePath endswith "\\MsMpEng.exe"))))Scenario: Scheduled Backup Job Accessing Wallet Files
Description: A legitimate scheduled backup job (e.g., VeeamBackupService.exe or rsync.exe) accesses cryptocurrency wallet files as part of a routine backup process.
Filter/Exclusion: Exclude processes associated with known backup tools or check for presence of a backup job in the task scheduler with a known name.
Scenario: System Maintenance Task Accessing Wallet Files
Description: A system maintenance task (e.g., TaskScheduler.exe or schtasks.exe) runs a script that accesses cryptocurrency wallet files for configuration or monitoring purposes.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler and verify if the task is associated with a known system maintenance script or service.
Scenario: Admin User Accessing Wallet Files for Troubleshooting
Description: An administrator (e.g., cmd.exe or powershell.exe) manually accesses cryptocurrency wallet files to troubleshoot an application or service.
Filter/Exclusion: Exclude access by users with administrative privileges and check for presence of a legitimate troubleshooting script or command history.
Scenario: Cryptocurrency Wallet Management Tool Access
Description: A legitimate cryptocurrency wallet management tool (e.g., Electrum.exe or Bitcoin-Qt.exe) accesses wallet files during normal operation.
Filter/Exclusion: Exclude processes associated with known cryptocurrency wallet applications and verify if the process is running from the expected installation directory.
Scenario: Third-Party Security Tool Scanning Wallet Files
Description: A third-party security or compliance tool (e.g., Malwarebytes.exe or Bitdefender.exe) accesses cryptocurrency wallet files during a scan or audit.
Filter/Exclusion: Exclude processes associated with known security tools and check for presence of a legitimate scan or audit task in the system logs