Summary of the Pull Request

Adds four detection rules covering the OpenClaw autonomous AI agent family and its copycat ecosystem (Nanobot, NanoClaw, Moltbot, Clawdbot, and several spiritual successors). All four projects share a common dot-folder workspace convention under the user profile (~/.openclaw/, ~/.nanobot/, etc.), which gives a stable detection surface across renames and forks.

Rules and regression EVTXs were validated against a real install of openclaw@2026.5.12 (the current npm package) in a lab, including openclaw setup --non-interactive, openclaw skills list, openclaw skills install, and openclaw config get invocations. The real install bootstraps a documented agent state tree under ~/.openclaw/ with the following subfolders, all of which trigger the file-event rule:

• ~/.openclaw/agents/<name>/sessions/ (conversation sessions)
• ~/.openclaw/memory/main.sqlite (agent persistent memory store)
• ~/.openclaw/flows/registry.sqlite (gateway flow registry)
• ~/.openclaw/identity/ (identity store)
• ~/.openclaw/plugin-skills/<skill>/ (bundled skill plugins)
• ~/.openclaw/plugins/ (loaded plugins)
• ~/.openclaw/workspace/ (default agent workspace; configurable via --workspace)

Coverage spans the install lifecycle:

• NPM install: detects npm install of any package in the family.
• Postinstall script execution: detects helpers spawned from the agent's package directory under global node_modules.
• Workspace file creation: detects the agent's dot-folder tree materialising on disk.
• Working directory: detects any process running with its CurrentDirectory inside one of the dot-folders, such as an operator invoking openclaw skills list or openclaw config get from inside the workspace.

Each rule ships with a positive evtx regression test (one event, match_count: 1) plus the matching event extracted as JSON.

Changelog

new: Potential Autonomous AI Agent Activity Via Known Working Directory
new: Potential Autonomous AI Agent Workspace File Creation
new: Potential Autonomous AI Agent NPM Install
new: Potential Autonomous AI Agent Postinstall Script Execution

Example Log Event

Sysmon EventID 1 fired when the operator installs the OpenClaw CLI from the public npm registry. Captured by the NPM install rule:

EventID:           1
Provider:          Microsoft-Windows-Sysmon
Image:             C:\Program Files\nodejs\node.exe
OriginalFileName:  node.exe
CommandLine:       "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs/node_modules/npm/bin/npm-cli.js" install -g openclaw@2026.5.12
CurrentDirectory:  C:\Users\Victim\Documents\
ParentImage:       C:\Windows\System32\wsmprovhost.exe
User:              VICTIM-PC\Victim
IntegrityLevel:    High

Sysmon EventID 11 fired during openclaw setup --non-interactive when the agent created its persistent memory store. Captured by the workspace file creation rule:

EventID:           11
Provider:          Microsoft-Windows-Sysmon
Image:             C:\Program Files\nodejs\node.exe
TargetFilename:    C:\Users\Victim\.openclaw\memory\main.sqlite
User:              VICTIM-PC\Victim

Equivalent paths and commands fire for .nanobot\, .nanoclaw\, .clawdbot\, .moltbot\ etc. Full JSON of both events is included in the regression_data tree.

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions