Skip to content

DET0495 Detection Strategy for Financial Theft

Item Value
ID DET0495
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1657 (Financial Theft)

Analytics

Windows

AN1361

Monitor for anomalous access to financial applications, browser-based banking sessions, or enterprise ERP systems from Windows endpoints. Detect mass emailing of payment instructions, sudden rule changes in Outlook for financial staff, or use of clipboard data exfiltration tied to cryptocurrency wallet addresses.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
FinanceAppList Baseline of finance-related executables or ERP processes to monitor closely.
HighRiskAccounts Accounts belonging to finance, treasury, or executives that should be monitored with higher sensitivity.

Linux

AN1362

Monitor server and endpoint logs for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, or automation targeting payment file formats. Detect curl/wget activity aimed at exfiltrating transaction data or credentials from financial apps.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: Execution of curl, wget, or custom scripts accessing financial endpoints
Application Log Content (DC0038) linux:syslog Authentication attempts into finance-related servers from unusual IPs or times
Mutable Elements
Field Description
KnownFinanceIPs Whitelisted IPs for finance-related traffic to reduce noise.

macOS

AN1363

Monitor unified logs for access to payment applications, browser plug-ins, or Apple Pay services from non-standard processes. Detect anomalous use of Automator scripts or keychain extraction targeting financial account credentials.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Non-standard processes invoking financial applications or payment APIs
Application Log Content (DC0038) macos:unifiedlog Anomalous keychain access attempts targeting payment credentials
Mutable Elements
Field Description
MonitoredApps Financial or payment applications to explicitly monitor for unauthorized use.

SaaS

AN1364

Monitor SaaS financial systems (e.g., QuickBooks, Workday, SAP S/4HANA cloud) for unauthorized access, rule changes, or mass export of financial data. Detect anomalous transfers initiated via SaaS APIs or new MFA-disabled logins targeting finance apps.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:finance Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts
Mutable Elements
Field Description
TransactionThreshold Customizable monetary threshold above which financial transactions should be flagged.

Office Suite

AN1365

Monitor email and document management systems for fraudulent invoices, impersonation of vendors, or BEC-style payment redirections. Detect abnormal editing of invoice templates, or emails containing known fraud language combined with attachment delivery.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams
File Modification (DC0061) m365:office Anomalous editing of invoice or payment document templates
Mutable Elements
Field Description
FraudTerms Adjustable keyword list for email and document fraud detection.