Skip to content

Commit c7ca75b

Browse files
0xdavidel0xdavidel
committed
new: OpenClaw AI agent family detection rules
new: Potential Autonomous AI Agent Activity Via Known Working Directory new: Potential Autonomous AI Agent Workspace File Creation new: Potential Autonomous AI Agent NPM Install new: Potential Autonomous AI Agent Postinstall Script Execution
1 parent df5c6a6 commit c7ca75b

16 files changed

Lines changed: 453 additions & 0 deletions

regression_data/rules/windows/file/file_event/file_event_win_openclaw_agent_workspace_created/97e942d3-2e3d-41f0-8fea-8a33fc199db0.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/file/file_event/file_event_win_openclaw_agent_workspace_created/97e942d3-2e3d-41f0-8fea-8a33fc199db0.json

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"Event": {
3+
"System": {
4+
"Provider": {
5+
"#attributes": {
6+
"Name": "Microsoft-Windows-Sysmon",
7+
"Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
8+
}
9+
},
10+
"EventID": "11",
11+
"Version": "2",
12+
"Level": "4",
13+
"Task": "11",
14+
"Opcode": "0",
15+
"Keywords": "0x8000000000000000",
16+
"TimeCreated": {
17+
"#attributes": {
18+
"SystemTime": "2026-05-16T04:19:17.2580305Z"
19+
}
20+
},
21+
"EventRecordID": "2077476",
22+
"Correlation": null,
23+
"Execution": {
24+
"#attributes": {
25+
"ProcessID": "3268",
26+
"ThreadID": "3760"
27+
}
28+
},
29+
"Channel": "Microsoft-Windows-Sysmon/Operational",
30+
"Computer": "victim",
31+
"Security": {
32+
"#attributes": {
33+
"UserID": "S-1-5-18"
34+
}
35+
}
36+
},
37+
"EventData": {
38+
"RuleName": "-",
39+
"UtcTime": "2026-05-16 04:19:17.257",
40+
"ProcessGuid": "{f9e78101-f035-6a07-7105-000000002100}",
41+
"ProcessId": "2072",
42+
"Image": "C:\\Program Files\\nodejs\\node.exe",
43+
"TargetFilename": "C:\\Users\\Rundle\\.openclaw\\memory\\main.sqlite",
44+
"CreationUtcTime": "2026-05-16 04:19:17.257",
45+
"User": "VICTIM\\Rundle"
46+
}
47+
}
48+
}

regression_data/rules/windows/file/file_event/file_event_win_openclaw_agent_workspace_created/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: 58510d90-258d-47e5-9079-f1d6cb3d9860
2+
description: N/A
3+
date: 2026-05-16
4+
author: David El (0xdavidel)
5+
rule_metadata:
6+
- id: 97e942d3-2e3d-41f0-8fea-8a33fc199db0
7+
title: Potential Autonomous AI Agent Workspace File Creation
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/file/file_event/file_event_win_openclaw_agent_workspace_created/97e942d3-2e3d-41f0-8fea-8a33fc199db0.evtx

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_npm_install/d36928ed-ae93-4ece-8e23-b6bc2c8c1032.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_npm_install/d36928ed-ae93-4ece-8e23-b6bc2c8c1032.json

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"Event": {
3+
"System": {
4+
"Provider": {
5+
"#attributes": {
6+
"Name": "Microsoft-Windows-Sysmon",
7+
"Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
8+
}
9+
},
10+
"EventID": "1",
11+
"Version": "5",
12+
"Level": "4",
13+
"Task": "1",
14+
"Opcode": "0",
15+
"Keywords": "0x8000000000000000",
16+
"TimeCreated": {
17+
"#attributes": {
18+
"SystemTime": "2026-05-16T04:10:37.5336476Z"
19+
}
20+
},
21+
"EventRecordID": "2014912",
22+
"Correlation": null,
23+
"Execution": {
24+
"#attributes": {
25+
"ProcessID": "3268",
26+
"ThreadID": "3760"
27+
}
28+
},
29+
"Channel": "Microsoft-Windows-Sysmon/Operational",
30+
"Computer": "victim",
31+
"Security": {
32+
"#attributes": {
33+
"UserID": "S-1-5-18"
34+
}
35+
}
36+
},
37+
"EventData": {
38+
"RuleName": "-",
39+
"UtcTime": "2026-05-16 04:10:37.532",
40+
"ProcessGuid": "{f9e78101-ee3d-6a07-3705-000000002100}",
41+
"ProcessId": "8256",
42+
"Image": "C:\\Program Files\\nodejs\\node.exe",
43+
"FileVersion": "24.14.0",
44+
"Description": "Node.js JavaScript Runtime",
45+
"Product": "Node.js",
46+
"Company": "Node.js",
47+
"OriginalFileName": "node.exe",
48+
"CommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" \"C:\\Program Files\\nodejs/node_modules/npm/bin/npm-cli.js\" install -g openclaw@2026.5.12",
49+
"CurrentDirectory": "C:\\Users\\Rundle\\Documents\\",
50+
"User": "VICTIM\\Rundle",
51+
"LogonGuid": "{f9e78101-ee3b-6a07-004c-460100000000}",
52+
"LogonId": "0x1464c00",
53+
"TerminalSessionId": "0",
54+
"IntegrityLevel": "High",
55+
"Hashes": "SHA1=AAD42AF6D78CEEA927E6C7EC06CFF3D19454F45F,MD5=350E0CD211BD0266E361A4A18CB1FF05,SHA256=63C259C81E5D472B5F11C8D506070130CB04A1ECF84B80377A34ED6EC9048088,IMPHASH=359E649AB913E838011B9D61180C7F7F",
56+
"ParentProcessGuid": "{f9e78101-ee3b-6a07-3205-000000002100}",
57+
"ParentProcessId": "5564",
58+
"ParentImage": "C:\\Windows\\System32\\wsmprovhost.exe",
59+
"ParentCommandLine": "C:\\WINDOWS\\system32\\wsmprovhost.exe -Embedding",
60+
"ParentUser": "VICTIM\\Rundle"
61+
}
62+
}
63+
}

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_npm_install/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: 11848e5a-b4b8-40ea-891e-4eb43ec97fc3
2+
description: N/A
3+
date: 2026-05-16
4+
author: David El (0xdavidel)
5+
rule_metadata:
6+
- id: d36928ed-ae93-4ece-8e23-b6bc2c8c1032
7+
title: Potential Autonomous AI Agent NPM Install
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_npm_install/d36928ed-ae93-4ece-8e23-b6bc2c8c1032.evtx

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_postinstall_execution/0a004998-6182-4a08-a00c-a6c9a061097e.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_postinstall_execution/0a004998-6182-4a08-a00c-a6c9a061097e.json

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"Event": {
3+
"System": {
4+
"Provider": {
5+
"#attributes": {
6+
"Name": "Microsoft-Windows-Sysmon",
7+
"Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
8+
}
9+
},
10+
"EventID": "1",
11+
"Version": "5",
12+
"Level": "4",
13+
"Task": "1",
14+
"Opcode": "0",
15+
"Keywords": "0x8000000000000000",
16+
"TimeCreated": {
17+
"#attributes": {
18+
"SystemTime": "2026-05-16T04:14:25.1031713Z"
19+
}
20+
},
21+
"EventRecordID": "2068422",
22+
"Correlation": null,
23+
"Execution": {
24+
"#attributes": {
25+
"ProcessID": "3268",
26+
"ThreadID": "3760"
27+
}
28+
},
29+
"Channel": "Microsoft-Windows-Sysmon/Operational",
30+
"Computer": "victim",
31+
"Security": {
32+
"#attributes": {
33+
"UserID": "S-1-5-18"
34+
}
35+
}
36+
},
37+
"EventData": {
38+
"RuleName": "-",
39+
"UtcTime": "2026-05-16 04:14:25.101",
40+
"ProcessGuid": "{f9e78101-ef21-6a07-5105-000000002100}",
41+
"ProcessId": "4128",
42+
"Image": "C:\\Program Files\\nodejs\\node.exe",
43+
"FileVersion": "24.14.0",
44+
"Description": "Node.js JavaScript Runtime",
45+
"Product": "Node.js",
46+
"Company": "Node.js",
47+
"OriginalFileName": "node.exe",
48+
"CommandLine": "node scripts/postinstall",
49+
"CurrentDirectory": "C:\\Users\\Rundle\\AppData\\Roaming\\npm\\node_modules\\openclaw\\node_modules\\protobufjs\\",
50+
"User": "VICTIM\\Rundle",
51+
"LogonGuid": "{f9e78101-ee3b-6a07-004c-460100000000}",
52+
"LogonId": "0x1464c00",
53+
"TerminalSessionId": "0",
54+
"IntegrityLevel": "High",
55+
"Hashes": "SHA1=AAD42AF6D78CEEA927E6C7EC06CFF3D19454F45F,MD5=350E0CD211BD0266E361A4A18CB1FF05,SHA256=63C259C81E5D472B5F11C8D506070130CB04A1ECF84B80377A34ED6EC9048088,IMPHASH=359E649AB913E838011B9D61180C7F7F",
56+
"ParentProcessGuid": "{f9e78101-ef21-6a07-5005-000000002100}",
57+
"ParentProcessId": "3372",
58+
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
59+
"ParentCommandLine": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c node scripts/postinstall",
60+
"ParentUser": "VICTIM\\Rundle"
61+
}
62+
}
63+
}

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_postinstall_execution/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: 59a31da7-a61b-4c73-9a98-26d350eab4e1
2+
description: N/A
3+
date: 2026-05-16
4+
author: David El (0xdavidel)
5+
rule_metadata:
6+
- id: 0a004998-6182-4a08-a00c-a6c9a061097e
7+
title: Potential Autonomous AI Agent Postinstall Script Execution
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_postinstall_execution/0a004998-6182-4a08-a00c-a6c9a061097e.evtx

regression_data/rules/windows/process_creation/proc_creation_win_openclaw_agent_workdir/6f9c5d25-d4ea-40ce-9d50-61259e1f579f.evtx

68 KB
Binary file not shown.

0 commit comments

Comments
 (0)