legitimate software installed on partitions other than \"c:\\"

Techniques

t1003

Sample rules

Access To Crypto Currency Wallets By Uncommon Applications

source: sigma
technicques:
- t1003

Description

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\Windows\system32\
  - C:\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
  Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
selection:
- FileName|contains:
  - \AppData\Roaming\Ethereum\keystore\
  - \AppData\Roaming\EthereumClassic\keystore\
  - \AppData\Roaming\monero\wallets\
- FileName|endswith:
  - \AppData\Roaming\Bitcoin\wallet.dat
  - \AppData\Roaming\BitcoinABC\wallet.dat
  - \AppData\Roaming\BitcoinSV\wallet.dat
  - \AppData\Roaming\DashCore\wallet.dat
  - \AppData\Roaming\DogeCoin\wallet.dat
  - \AppData\Roaming\Litecoin\wallet.dat
  - \AppData\Roaming\Ripple\wallet.dat
  - \AppData\Roaming\Zcash\wallet.dat