Detection rules › Elastic
Execution via OpenClaw Agent
Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents.
MITRE ATT&CK coverage
Rule body elastic
[metadata]
creation_date = "2026/02/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/04/07"
[rule]
author = ["Elastic"]
description = """
Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js.
These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from
public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting
cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned
by these AI agents.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Execution via OpenClaw Agent"
note = """## Triage and analysis
### Investigating Execution via OpenClaw Agent
OpenClaw (formerly Clawdbot, rebranded to Moltbot) is a personal AI coding assistant that can execute shell commands
and scripts on behalf of users. Malicious actors have weaponized the skill ecosystem (ClawHub) to distribute skills
that execute download-and-execute commands, targeting cryptocurrency wallets and credentials.
### Possible investigation steps
- Verify if OpenClaw/Moltbot is an approved application in your organization.
- Review the child process command line for indicators of malicious activity (encoded payloads, remote downloads, credential access).
- Check the parent Node.js process command line to identify which OpenClaw component initiated the execution.
- Examine recently installed skills from ClawHub for malicious or obfuscated code.
- Correlate with network events to identify data exfiltration or C2 communication.
- Review the user's AI conversation history for prompt injection attempts.
### False positive analysis
- Developers legitimately using OpenClaw/Moltbot for AI-assisted coding may trigger this rule when the AI executes build scripts, curl commands, or other legitimate automation.
- If the tool is approved, consider tuning based on specific command patterns or adding exception lists.
### Response and remediation
- If the child process activity appears malicious, terminate the OpenClaw gateway and investigate the skill that initiated the command.
- Review and remove any suspicious skills from the OpenClaw configuration.
- If credentials may have been accessed, rotate affected secrets and API keys.
- Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the network level.
"""
references = [
"https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign",
"https://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhub",
"https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare",
"https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html",
]
risk_score = 47
rule_id = "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e"
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: LLM",
"OS: Linux",
"OS: macOS",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
process.parent.name : ("node", "node.exe") and
process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and
process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe") and
not process.args in (
"ip neigh show",
"arp -a -n -l",
"ip neighbor show dev wlan0",
"ip neighbor show dev eth0",
"arp -a | findstr /C:---"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.002"
name = "AppleScript"
reference = "https://attack.mitre.org/techniques/T1059/002/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.011"
name = "Rundll32"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Stages and Predicates
Stage 1: process
process where event.type == "start" and
process.parent.name : ("node", "node.exe") and
process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and
process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe") and
not process.args in (
"ip neigh show",
"arp -a -n -l",
"ip neighbor show dev wlan0",
"ip neighbor show dev eth0",
"arp -a | findstr /C:---"
)
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
process.args | in | arp -a -n -l, arp -a | findstr /C:---, ip neigh show, ip neighbor show dev eth0, ip neighbor show dev wlan0 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.type | eq |
|
process.name | wildcard |
|
process.parent.command_line | wildcard |
|
process.parent.name | wildcard |
|