EXPLORE DETECTIONS

Find hidden scheduled tasks

Find OpenClaw on Endpoints

Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.

Find OpenClaw on Endpoints

Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.

Find processes that only ran a few of times on a specific host

Find processes that only ran a few of times on a specific host

Find tasks scheduled by logon type

Find tasks scheduled by logon type

Find tasks scheduled by run level

Find tasks scheduled by run level

Find tasks scheduled by user ID

Find tasks scheduled by user ID

Find tasks scheduled with ComHandler

Find tasks scheduled with ComHandler

Firewall Rule Additions

This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.

Firewall Rule Additions

This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.

Frequency Analysis via Program Clustering

This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows

Frequency Analysis via Program Clustering

This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows

GenAI Usage

This query identifies DNS requests to GenAI services.

GenAI Usage

This query identifies DNS requests to GenAI services.

Get Host Zero Trust Assessment Scores

This query outputs a table with hosts including their zero trust scores

Get Host Zero Trust Assessment Scores

This query outputs a table with hosts including their zero trust scores

Get USB Devices

Retrieving a list of USB Devices plugged to the device

Get USB Devices

Retrieving a list of USB Devices plugged to the device

High Volume SMB File Copy (Data Exfiltration / Ransomware) – Microsoft Defender for Identity

Detects a large volume of file transfers over SMB within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate bulk data exfiltration or ransomware activity, where files are rapidly copied, staged, or encrypted across systems and should be investigated immediately. Detects a large volume of file transfers over SMB within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate bulk data exfiltration or ransomware activity, where files are rapidly copied, staged, or encrypted across systems and should be investigated immediately.