Techniques
Sample rules
Access To Crypto Currency Wallets By Uncommon Applications
- source: sigma
- technicques:
- t1003
Description
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\system32\
- C:\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
selection:
- FileName|contains:
- \AppData\Roaming\Ethereum\keystore\
- \AppData\Roaming\EthereumClassic\keystore\
- \AppData\Roaming\monero\wallets\
- FileName|endswith:
- \AppData\Roaming\Bitcoin\wallet.dat
- \AppData\Roaming\BitcoinABC\wallet.dat
- \AppData\Roaming\BitcoinSV\wallet.dat
- \AppData\Roaming\DashCore\wallet.dat
- \AppData\Roaming\DogeCoin\wallet.dat
- \AppData\Roaming\Litecoin\wallet.dat
- \AppData\Roaming\Ripple\wallet.dat
- \AppData\Roaming\Zcash\wallet.dat