Execution via OpenClaw Agent

  1[metadata]
  2creation_date = "2026/02/02"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js.
 11These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from
 12public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting
 13cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned
 14by these AI agents.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.process-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Execution via OpenClaw Agent"
 21note = """## Triage and analysis
 22
 23### Investigating Execution via OpenClaw Agent
 24
 25OpenClaw (formerly Clawdbot, rebranded to Moltbot) is a personal AI coding assistant that can execute shell commands 
 26and scripts on behalf of users. Malicious actors have weaponized the skill ecosystem (ClawHub) to distribute skills 
 27that execute download-and-execute commands, targeting cryptocurrency wallets and credentials.
 28
 29### Possible investigation steps
 30
 31- Verify if OpenClaw/Moltbot is an approved application in your organization.
 32- Review the child process command line for indicators of malicious activity (encoded payloads, remote downloads, credential access).
 33- Check the parent Node.js process command line to identify which OpenClaw component initiated the execution.
 34- Examine recently installed skills from ClawHub for malicious or obfuscated code.
 35- Correlate with network events to identify data exfiltration or C2 communication.
 36- Review the user's AI conversation history for prompt injection attempts.
 37
 38### False positive analysis
 39
 40- Developers legitimately using OpenClaw/Moltbot for AI-assisted coding may trigger this rule when the AI executes build scripts, curl commands, or other legitimate automation.
 41- If the tool is approved, consider tuning based on specific command patterns or adding exception lists.
 42
 43### Response and remediation
 44
 45- If the child process activity appears malicious, terminate the OpenClaw gateway and investigate the skill that initiated the command.
 46- Review and remove any suspicious skills from the OpenClaw configuration.
 47- If credentials may have been accessed, rotate affected secrets and API keys.
 48- Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the network level.
 49"""
 50references = [
 51    "https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign",
 52    "https://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhub",
 53    "https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare",
 54    "https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html",
 55]
 56risk_score = 47
 57rule_id = "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e"
 58severity = "medium"
 59tags = [
 60    "Domain: Endpoint",
 61    "Domain: LLM",
 62    "OS: Linux",
 63    "OS: macOS",
 64    "OS: Windows",
 65    "Use Case: Threat Detection",
 66    "Tactic: Execution",
 67    "Tactic: Command and Control",
 68    "Data Source: Elastic Defend",
 69    "Resources: Investigation Guide",
 70]
 71timestamp_override = "event.ingested"
 72type = "eql"
 73
 74query = '''
 75process where event.type == "start" and
 76  process.parent.name : ("node", "node.exe") and 
 77  process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and
 78   process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe")
 79'''
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1059"
 86name = "Command and Scripting Interpreter"
 87reference = "https://attack.mitre.org/techniques/T1059/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1059.007"
 90name = "JavaScript"
 91reference = "https://attack.mitre.org/techniques/T1059/007/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0002"
 97name = "Execution"
 98reference = "https://attack.mitre.org/tactics/TA0002/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1071"
103name = "Application Layer Protocol"
104reference = "https://attack.mitre.org/techniques/T1071/"
105[[rule.threat.technique.subtechnique]]
106id = "T1071.001"
107name = "Web Protocols"
108reference = "https://attack.mitre.org/techniques/T1071/001/"
109
110
111
112[rule.threat.tactic]
113id = "TA0011"
114name = "Command and Control"
115reference = "https://attack.mitre.org/tactics/TA0011/"