EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

Find OpenClaw on Endpoints

Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.

MITRE ATT&CK

T1059
execution

Detection Query

#repo="base_sensor"
| #event_simpleName =~ in(values=["*ProcessRollup2", "*FileWritten"])
| case {
  // Look for the curl install method
  CommandLine=/openclaw\.ai\/install\.sh/
    | Action := "openclaw installed";

  CommandLine=/openclaw\.ai\/install\.ps1/
    | Action := "openclaw installed";
  // Look for node package install methods
  CommandLine =~ in(values=["* openclaw*", "* clawdbot*", "* moltbot*"])
    | CommandLine =~ in(values=["*npm*", "*npx*", "*brew*"])
    | CommandLine="* install *"
    | Action := "openclaw installed";

  // Look for files being written to user home directories
  FilePath =~ in(values=["*/.openclaw/*", "*/.clawdbot/*", "*/.moltbot/*"])
    | Action := "openclaw user configuration updated";

  // Look for the clawdbot service being started on port tcp/18789
  CommandLine =~ in(values=["*openclaw*", "*clawdbot*", "*moltbot*"])
    | ImageFileName=/node/i
    | CommandLine=/gateway --port 18789/i
    | Action := "openclaw service started";
    
  // Look for the clawdbot service being started
  CommandLine =~ in(values=["*openclaw*", "*clawdbot*", "*moltbot*"])
    | FileName=/node/i
    | CommandLine=/gateway/i
    | Action := "openclaw service started";
}
| groupby(
  aid, 
  ComputerName, 
  UserName, 
  function=[
    collect(Action), 
    selectLast([CommandLine, ImageFileName, #event_simpleName])
  ]
)

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Find OpenClaw on Endpoints

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1059

# Description of what the query does and its purpose.
description: |
  Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #repo="base_sensor"
  | #event_simpleName =~ in(values=["*ProcessRollup2", "*FileWritten"])
  | case {
    // Look for the curl install method
    CommandLine=/openclaw\.ai\/install\.sh/
      | Action := "openclaw installed";
  
    CommandLine=/openclaw\.ai\/install\.ps1/
      | Action := "openclaw installed";
    // Look for node package install methods
    CommandLine =~ in(values=["* openclaw*", "* clawdbot*", "* moltbot*"])
      | CommandLine =~ in(values=["*npm*", "*npx*", "*brew*"])
      | CommandLine="* install *"
      | Action := "openclaw installed";
  
    // Look for files being written to user home directories
    FilePath =~ in(values=["*/.openclaw/*", "*/.clawdbot/*", "*/.moltbot/*"])
      | Action := "openclaw user configuration updated";
  
    // Look for the clawdbot service being started on port tcp/18789
    CommandLine =~ in(values=["*openclaw*", "*clawdbot*", "*moltbot*"])
      | ImageFileName=/node/i
      | CommandLine=/gateway --port 18789/i
      | Action := "openclaw service started";
      
    // Look for the clawdbot service being started
    CommandLine =~ in(values=["*openclaw*", "*clawdbot*", "*moltbot*"])
      | FileName=/node/i
      | CommandLine=/gateway/i
      | Action := "openclaw service started";
  }
  | groupby(
    aid, 
    ComputerName, 
    UserName, 
    function=[
      collect(Action), 
      selectLast([CommandLine, ImageFileName, #event_simpleName])
    ]
  )

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  # Detection Logic:
  
  ### Installation:
  Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw.
  
  ### Configuration:
  Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored.
  
  ### Execution:
  Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.