Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Access To Crypto Currency Wallets By Uncommon Applications

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Mon Jul 29f41b0311-44f9-44f0-816d-dd45e39d4bc8windows
Log Source
Windowsfile_access
ProductWindows← raw: windows
Categoryfile_access← raw: file_access

Definition

Requirements: Microsoft-Windows-Kernel-File ETW provider

Detection Logic
Detection Logic4 selectors
detection:
    selection:
        - FileName|contains:
              - '\AppData\Roaming\Ethereum\keystore\'
              - '\AppData\Roaming\EthereumClassic\keystore\'
              - '\AppData\Roaming\monero\wallets\'
        - FileName|endswith:
              - '\AppData\Roaming\Bitcoin\wallet.dat'
              - '\AppData\Roaming\BitcoinABC\wallet.dat'
              - '\AppData\Roaming\BitcoinSV\wallet.dat'
              - '\AppData\Roaming\DashCore\wallet.dat'
              - '\AppData\Roaming\DogeCoin\wallet.dat'
              - '\AppData\Roaming\Litecoin\wallet.dat'
              - '\AppData\Roaming\Ripple\wallet.dat'
              - '\AppData\Roaming\Zcash\wallet.dat'
    filter_main_system:
        Image: System
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Antivirus, Anti-Spyware, Anti-Malware Software

Backup software

Legitimate software installed on partitions other than "C:\"

Searching software such as "everything.exe"

References
1
Resolving title…
Internal Research
MITRE ATT&CK
Rule Metadata
Rule ID
f41b0311-44f9-44f0-816d-dd45e39d4bc8
Status
test
Level
medium
Type
Detection
Created
Mon Jul 29
Author
X__Junior (Nextron Systems)
Path
rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml
Raw Tags
attack.t1003attack.credential-access
View on GitHub