EXPLORE DETECTIONS
Find events triggered on an event
Find events triggered on an event
Find hidden scheduled tasks
Find hidden scheduled tasks
Find OpenClaw on Endpoints
Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.
Find OpenClaw on Endpoints
Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.
Find processes that only ran a few of times on a specific host
Find processes that only ran a few of times on a specific host
Find tasks scheduled by logon type
Find tasks scheduled by logon type
Find tasks scheduled by run level
Find tasks scheduled by run level
Find tasks scheduled by user ID
Find tasks scheduled by user ID
Find tasks scheduled with ComHandler
Find tasks scheduled with ComHandler
Firewall Rule Additions
This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.
Firewall Rule Additions
This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.
Frequency Analysis via Program Clustering
This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows
Frequency Analysis via Program Clustering
This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows
GenAI Usage
This query identifies DNS requests to GenAI services.
GenAI Usage
This query identifies DNS requests to GenAI services.
Get Host Zero Trust Assessment Scores
This query outputs a table with hosts including their zero trust scores
Get Host Zero Trust Assessment Scores
This query outputs a table with hosts including their zero trust scores