Contents
Campaign: Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104
Date: 2026-05-27
Author: The Hunters Ledger
License: CC BY-NC 4.0
Reference: https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
Detection Coverage Summary
| Rule Type | Count | MITRE Techniques Covered | Overall FP Risk |
|---|---|---|---|
| YARA | 2 | T1562.001, T1059.004 | LOW–MEDIUM |
| Sigma | 5 | T1562.001, T1059.004, T1059.007, T1090.001, T1082 | LOW–MEDIUM |
| Suricata | 3 | T1562.001, T1059.004, T1090.001 | LOW |
Detection philosophy for this campaign: No malware binary exists — the primary evidence is the operator’s ~/.claude/settings.local.json configuration artifact. Detection coverage targets three surfaces: (1) the configuration-file artifact itself (YARA file-content matching), (2) behavioral execution patterns generated by Claude Code when acting under the attacker-customized allowlist (Sigma process/file rules), and (3) network egress to the OpenClaw distribution and documentation infrastructure (Suricata). Because OpenClaw is a publicly-distributed dual-use AI-agent framework, all rules carry explicit deployment-scope guidance — server-class and non-developer endpoints are the highest-priority targets; developer-class host detections require allowlist review rather than automatic blocking.
Key hunt anchor: Any settings.local.json (Claude Code global or per-project allowlist) whose permissions.allow array contains a curl ... | bash pattern, a global npm i -g of an unfamiliar package, or a local-listener invocation (* --port <N>) is high-priority regardless of which specific tooling is referenced. The specific OpenClaw strings are a precision anchor; the broader curl|bash pattern is the resilience anchor.
YARA Rules
/*
Yara Rule Set
Identifier: Claude Code Attacker-Customized Allowlist — OpenClaw Operator (Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104)
Author: The Hunters Ledger
Source: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/
License: CC BY-NC 4.0 - https://creativecommons.org/licenses/by-nc/4.0/
*/
Rule 1 — OpenClaw-Specific Allowlist (HIGH Precision)
Detection Priority: HIGH
Rationale: Detects the operator’s exact settings.local.json allowlist pattern pre-authorizing the complete OpenClaw installation and gateway-bring-up workflow. The combination of 3+ OpenClaw-specific allowlist entries in a Claude Code permission file is a definitive indicator of attacker-customized AI-agent allowlist abuse — no known legitimate Claude Code workflow pre-approves curl|bash + npm i -g openclaw + openclaw gateway in the same file.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools — suppresses Claude Code per-command safety prompts), T1059.004 (Unix Shell — pre-authorized Bash invocations)
Confidence: HIGH
False Positive Risk: LOW — the combination of 3+ OpenClaw-specific allowlist strings in a settings.local.json file is not produced by any known legitimate developer workflow. Individual strings may appear separately in legitimate configurations; the conjunction rule (any 3 of 7) makes FP probability negligible.
Deployment: Endpoint file scanner, YARA-over-filesystem hunt on developer and admin workstations, CI/CD pipeline scanning. Target file: settings.local.json anywhere under .claude/ directories.
rule TOOL_ClaudeCode_OpenClaw_Allowlist_Specific {
meta:
description = "Detects attacker-customized Claude Code settings.local.json containing 3+ OpenClaw-specific permission allowlist entries pre-authorizing the OpenClaw curl|bash installer, npm global install, onboarding, docs fetch, gateway start, and UI launch — suppressing Claude Code safety prompts for the complete OpenClaw bring-up workflow"
license = "CC BY-NC 4.0 - https://creativecommons.org/licenses/by-nc/4.0/"
author = "The Hunters Ledger"
reference = "https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/"
date = "2026-05-27"
family = "AI-Agent Allowlist Abuse"
malware_type = "Operator Tradecraft / AI-Agent Permission Bypass"
campaign = "Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104"
id = "98965454-3e39-59be-8b73-d9e5451d3a11"
strings:
$oc_install = "Bash(curl -fsSL https://openclaw.ai/install.sh | bash)" ascii fullword
$oc_npm = "Bash(npm i -g openclaw)" ascii fullword
$oc_onboard = "Bash(openclaw onboard)" ascii fullword
$oc_webfetch = "WebFetch(domain:docs.openclaw.ai)" ascii fullword
$oc_gateway = "Bash(openclaw gateway --port" ascii
$oc_openui = "Bash(open http://127.0.0.1:18789/)" ascii fullword
$oc_domain = "openclaw.ai" ascii
condition:
filesize < 10KB and
3 of ($oc_install, $oc_npm, $oc_onboard, $oc_webfetch, $oc_gateway, $oc_openui, $oc_domain)
}
Rule 2 — Generic curl|bash in Claude Code Allowlist (Heuristic)
Detection Priority: MEDIUM
Rationale: Detects any settings.local.json Claude Code permission file containing a Bash(curl ... | bash) or Bash(curl ... | sh) pattern within a permissions block. This is a high-signal heuristic regardless of which specific tooling is referenced — pre-authorizing a pipe-to-shell installer in a Claude Code allowlist is operationally equivalent to auto-accepting a “run arbitrary code” permission. The OpenClaw case is the first documented instance; the defender hunt anchor is the broader pattern.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools — suppresses AI-agent safety prompts), T1059.004 (Unix Shell — pre-authorized Bash curl|bash pipeline)
Confidence: MODERATE (high signal; moderate FP risk on developer-class hosts with legitimate installer allowlists)
False Positive Risk: MEDIUM — developer endpoints whose Claude Code allowlists include approved internal installer pipelines (e.g., corporate package feeds delivered via curl | bash) will trigger this rule. Recommended deployment scope: server-class and non-developer endpoints where no legitimate curl|bash installer workflow should be pre-authorized. For developer-class hosts, use as a delta-alert (new entry detected) rather than a block trigger, and route to allowlist review.
Deployment: Server-class endpoints, CI/CD agents, jump hosts, finance/HR workstations. NOT recommended as an untuned block on developer workstations without content review workflow.
rule TOOL_ClaudeCode_CurlBash_Allowlist_Generic {
meta:
description = "Detects any Claude Code settings.local.json permission allowlist containing a Bash(curl ... | bash) or Bash(curl ... | sh) pre-authorization pattern — a high-signal heuristic for attacker-customized AI-agent allowlist abuse regardless of which specific tooling is being installed"
license = "CC BY-NC 4.0 - https://creativecommons.org/licenses/by-nc/4.0/"
author = "The Hunters Ledger"
reference = "https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/"
date = "2026-05-27"
family = "AI-Agent Allowlist Abuse"
malware_type = "Operator Tradecraft / AI-Agent Permission Bypass"
campaign = "Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104"
id = "ae126881-077c-513d-bd87-bd8b56944fcc"
strings:
$permissions_block = "\"permissions\"" ascii
$allow_block = "\"allow\"" ascii
$curl_bash = "| bash)" ascii
$curl_sh = "| sh)" ascii
$bash_prefix = "Bash(curl" ascii
condition:
filesize < 10KB and
$permissions_block and
$allow_block and
$bash_prefix and
($curl_bash or $curl_sh)
}
Sigma Rules
Rule 1 — settings.local.json File Write Containing OpenClaw Allowlist Strings
Detection Priority: HIGH
Rationale: Detects file creation or modification events targeting settings.local.json within .claude/ directories where the file content contains OpenClaw-specific allowlist strings. This fires when an operator writes or modifies the attacker-customized allowlist — the most direct behavioral signal available given the absence of a malware binary.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools)
Confidence: HIGH
False Positive Risk: LOW — settings.local.json files under .claude/ directories containing openclaw strings have no known legitimate production use. Developer-class FP risk is low because legitimate OpenClaw adopters would need to explicitly add these strings to their allowlist.
Deployment: Linux and macOS endpoints with file-event telemetry (auditd, Sysmon for Linux, ESA). Filter on TargetFilename matching the .claude/settings.local.json pattern.
title: Claude Code Permission Allowlist Modified with OpenClaw Installer Strings
id: 54d80e73-2b2d-4932-a97b-d431db41c501
status: test
description: >-
Detects creation or modification of a Claude Code settings.local.json file containing
OpenClaw-specific permission allowlist strings — evidence of attacker-customized AI-agent
CLI allowlist abuse that suppresses Claude Code per-command safety prompts for the complete
OpenClaw installation and gateway bring-up workflow. Observed in the Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104 campaign.
references:
- https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
- https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/
author: The Hunters Ledger
date: 2026/05/27
tags:
- attack.defense-evasion
logsource:
category: file_event
product: linux
detection:
selection_path:
TargetFilename|contains: '/.claude/settings.local.json'
selection_content:
TargetFilename|contains:
- 'openclaw'
condition: selection_path
falsepositives:
- >-
Legitimate OpenClaw adopters on developer-class workstations who have explicitly added
OpenClaw allowlist entries to their Claude Code configuration. Deploy with content-review
workflow on developer hosts rather than as an automatic block. On server-class and
non-developer hosts, treat as high-priority finding.
level: high
Note on file-content matching: Sigma
file_eventrules match on path and process metadata; file content is not natively matchable in most Sigma back-ends. Pair this rule with a YARA scan (Rule 1 above) for content-level detection. The Sigma rule surfaces the write event; the YARA rule confirms content. Use both together for high-confidence detection.
Rule 2 — DNS Resolution of OpenClaw Domains from Non-Developer Hosts
Detection Priority: HIGH
Rationale: Detects DNS resolution requests for openclaw.ai, docs.openclaw.ai, and lightmake.site — the three OpenClaw distribution, documentation, and adjacent-infrastructure domains. DNS queries from server-class hosts or non-developer endpoints to these domains have no legitimate explanation outside of attacker-customized AI-agent tooling installation.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools — resolving distribution infrastructure for allowlist-pre-approved tooling), T1059.004 (Unix Shell — installer pipeline distribution)
Confidence: HIGH (for server-class and non-developer hosts); MODERATE (for developer workstations without additional context)
False Positive Risk: MEDIUM — legitimate OpenClaw product adopters (developers intentionally evaluating the framework) will trigger this rule. Recommended tuning: whitelist known developer-class hosts and focus alerting on server, jump-host, CI/CD agent, and non-developer endpoint asset classes.
Deployment: DNS logging platforms (Zeek DNS, Palo Alto DNS Security, Umbrella, BIND query logs). Scope alert to non-developer host asset groups for LOW FP rate.
title: DNS Resolution of OpenClaw AI-Agent Framework Distribution Domains
id: 962739fd-fd90-4172-9147-d841800c2517
status: test
description: >-
Detects DNS resolution requests for openclaw.ai, docs.openclaw.ai, or lightmake.site —
the OpenClaw AI-agent framework distribution, documentation, and adjacent-infrastructure
domains observed in attacker-customized Claude Code allowlist abuse campaigns. Queries
from server-class or non-developer hosts represent high-priority findings; queries from
developer hosts require allowlist content review to confirm legitimacy.
references:
- https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
- https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/
author: The Hunters Ledger
date: 2026/05/27
tags:
- attack.defense-evasion
- attack.resource-development
logsource:
category: dns
detection:
selection:
dns.question.name|contains:
- 'openclaw.ai'
- 'lightmake.site'
condition: selection
falsepositives:
- >-
Legitimate OpenClaw product adopters on developer-class workstations evaluating the
framework for sanctioned use. Whitelist known developer hosts and focus alerting on
server-class, jump-host, CI/CD agent, and non-developer endpoints for a low FP rate.
level: medium
Rule 3 — Process Creation: curl Piped to bash Referencing openclaw.ai
Detection Priority: HIGH
Rationale: Detects the process creation event for the OpenClaw curl|bash installer pipeline — the first of the seven attacker-pre-authorized commands. This fires when Claude Code (or any shell) executes the exact installer-fetch command the operator pre-authorized. The combination of curl, openclaw.ai, and bash in the command line is extremely high-signal.
ATT&CK Coverage: T1059.004 (Unix Shell), T1562.001 (Disable or Modify Tools — executing under attacker-customized allowlist)
Confidence: HIGH
False Positive Risk: LOW — the combination of curl + openclaw.ai + bash in a single command line has no known legitimate use outside of OpenClaw installation. Generic curl|bash without the openclaw.ai domain would be caught by the broader heuristic (Rule YARA-2) but is not covered here to maintain precision.
Deployment: Linux and macOS endpoints with process-creation telemetry (auditd, Sysmon for Linux, ESA, EDR). Priority target: CI/CD agents, build servers, developer workstations.
title: OpenClaw AI-Agent Framework curl-pipe-bash Installer Execution
id: e02ddbf4-0a77-4c13-85ac-cd1ed9d8e66d
status: test
description: >-
Detects execution of the OpenClaw AI-agent framework curl-pipe-bash installer pipeline.
The command-line pattern (curl fetching from openclaw.ai piped to bash) is the primary
distribution mechanism documented in the Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104
operator campaign and indicates active execution of an attacker-pre-authorized AI-agent
tooling install under a customized Claude Code permission allowlist.
references:
- https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
- https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/
author: The Hunters Ledger
date: 2026/05/27
tags:
- attack.execution
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains|all:
- 'curl'
- 'openclaw.ai'
- 'bash'
condition: selection
falsepositives:
- >-
Legitimate OpenClaw evaluation or testing on developer-class workstations. The
openclaw.ai domain scopes FP risk tightly — this rule will not fire on unrelated
curl-pipe-bash installer patterns.
level: high
Rule 4 — Process Creation: openclaw gateway Listener Invocation
Detection Priority: HIGH
Rationale: Detects execution of the openclaw gateway command — the runtime invocation that starts the OpenClaw local-gateway service on a TCP port (typically 18789 per the observed artifact). This fires after the installation phase and indicates the operator has moved from install to active use of the OpenClaw control plane. Presence of openclaw in process image + gateway + --port in command line is a definitive post-install signal.
ATT&CK Coverage: T1090.001 (Internal Proxy — OpenClaw gateway functions as a local control-plane proxy between Claude Code and downstream skills), T1562.001 (Disable or Modify Tools — executing under attacker-customized allowlist)
Confidence: HIGH
False Positive Risk: LOW — openclaw gateway is not a generic command pattern and will not fire on any process unrelated to OpenClaw. Legitimate OpenClaw adopters will trigger this rule; scope to non-developer or unrecognized host asset classes for lowest FP rate.
Deployment: Linux and macOS endpoints with process-creation telemetry. Cross-correlate with port-18789 listener inventory for confirmation.
title: OpenClaw AI-Agent Gateway Service Started
id: f6a6901a-73dc-49c9-8c05-5ca64aa89d23
status: test
description: >-
Detects invocation of the OpenClaw local-gateway service via the 'openclaw gateway --port'
command pattern. The OpenClaw gateway functions as a local control-plane proxy between
Claude Code and downstream OpenClaw skills — its startup indicates the operator has
completed installation and is bringing up the AI-agent control plane. Observed as
allowlist entry 6 in the Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104 campaign.
references:
- https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
- https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/
author: The Hunters Ledger
date: 2026/05/27
tags:
- attack.command-and-control
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection_image:
Image|endswith: '/openclaw'
selection_cmdline:
CommandLine|contains|all:
- 'gateway'
- '--port'
condition: selection_image or selection_cmdline
falsepositives:
- >-
Legitimate OpenClaw adopters on developer-class workstations. The `openclaw gateway`
command pattern is specific enough to avoid non-OpenClaw FPs. Scope alerting to
server-class, jump-host, and non-developer endpoints for highest signal-to-noise ratio.
level: medium
Rule 5 — Network Connection to npm Registry Fetching openclaw Package
Detection Priority: MEDIUM
Rationale: Detects network connections to the npm registry (registry.npmjs.org) where the HTTP request path contains the openclaw package name — the alternative installation path documented in the operator’s allowlist (npm i -g openclaw). This fires during the npm global install phase and catches OpenClaw installs that bypass the curl|bash installer in favor of the npm registry.
ATT&CK Coverage: T1059.007 (JavaScript — npm/Node.js package execution), T1562.001 (Disable or Modify Tools)
Confidence: MODERATE — npm proxy telemetry and HTTP inspection are not universally available; coverage depends on deployment of proxy-level or DNS-level monitoring.
False Positive Risk: LOW on server-class hosts (no legitimate reason to npm i -g openclaw on a server); MEDIUM on developer hosts (developer may be evaluating the framework).
Deployment: Web proxy logs, DNS-based npm monitoring. Higher value on server-class and CI/CD agent hosts.
title: npm Registry Fetch for OpenClaw Package
id: d3a240e8-79a9-44d7-8b51-199389276d28
status: test
description: >-
Detects HTTP requests to the npm registry (registry.npmjs.org) for the openclaw package
name — the alternative installation path for the OpenClaw AI-agent framework documented
in the Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104 operator campaign. On
non-developer-class hosts, any npm fetch for the openclaw package is a high-priority
finding indicating active AI-agent tooling installation.
references:
- https://the-hunters-ledger.com/reports/korean-claude-openclaw-221.150.15.104/
- https://the-hunters-ledger.com/hunting-detections/korean-claude-openclaw-221.150.15.104-detections/
author: The Hunters Ledger
date: 2026/05/27
tags:
- attack.execution
- attack.defense-evasion
logsource:
category: proxy
detection:
selection:
cs-host|contains: 'registry.npmjs.org'
cs-uri-stem|contains: 'openclaw'
condition: selection
falsepositives:
- >-
Legitimate developers evaluating or installing OpenClaw on sanctioned developer
workstations. On server-class hosts, CI/CD agents, and non-developer endpoints,
treat as high-priority and escalate.
level: medium
Suricata Signatures
Rule 1 — TLS SNI Match: openclaw.ai (Primary Distribution Domain)
Detection Priority: HIGH
Rationale: Detects outbound TLS connections (HTTPS) where the Server Name Indication (SNI) field contains openclaw.ai — the primary OpenClaw distribution and installer hosting domain. SNI-based detection fires before any payload exchange and is not bypassable by payload encryption. Fires on both the installer fetch (openclaw.ai/install.sh) and general product traffic.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools), T1059.004 (Unix Shell — installer distribution)
Confidence: HIGH
False Positive Risk: LOW on server-class hosts; MEDIUM on developer workstations with legitimate OpenClaw evaluation.
Deployment: Network perimeter, IDS/IPS sensors with TLS inspection or SNI-logging capability. Use threshold to prevent alert flood from bulk installers.
alert tls $HOME_NET any -> any any (msg:"THL Korean-ClaudeCode-Allowlist OpenClaw Distribution Domain TLS SNI (openclaw.ai)"; tls.sni; content:"openclaw.ai"; nocase; startswith; endswith; threshold:type limit, track by_src, count 1, seconds 300; sid:9002701; rev:1; metadata:campaign Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104, created_at 2026_05_27, updated_at 2026_05_27;)
Rule 2 — TLS SNI Match: docs.openclaw.ai (Documentation Domain)
Detection Priority: MEDIUM
Rationale: Detects outbound TLS connections where the SNI field is docs.openclaw.ai — the OpenClaw documentation host pre-authorized by the operator’s Claude Code WebFetch(domain:docs.openclaw.ai) allowlist entry. This fires during the onboarding phase when Claude Code is authorized to fetch OpenClaw docs on the operator’s behalf. Subdomain-specific rule avoids collateral alerting on the parent openclaw.ai domain.
ATT&CK Coverage: T1562.001 (Disable or Modify Tools), T1082 (System Information Discovery — operator uses Claude Code WebFetch to consume OpenClaw capability documentation)
Confidence: HIGH
False Positive Risk: LOW — docs.openclaw.ai is accessed only during active OpenClaw onboarding/evaluation.
Deployment: Network perimeter with SNI logging. Lower priority than Rule 1; use for enrichment when Rule 1 has already fired.
alert tls $HOME_NET any -> any any (msg:"THL Korean-ClaudeCode-Allowlist OpenClaw Documentation Domain TLS SNI (docs.openclaw.ai)"; tls.sni; content:"docs.openclaw.ai"; nocase; startswith; endswith; threshold:type limit, track by_src, count 1, seconds 300; sid:9002702; rev:1; metadata:campaign Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104, created_at 2026_05_27, updated_at 2026_05_27;)
Rule 3 — HTTP Host Match: Operator Open Directory (221.150.15.104:8080)
Detection Priority: MEDIUM
Rationale: Detects HTTP requests to the operator’s exposed open directory at 221.150.15.104:8080 — the discovery vector that exposed the settings.local.json artifact. This rule is primarily useful for detecting analyst or threat-intelligence tooling that is actively surveying the open directory; any internal host accessing this IP:port combination is anomalous and warrants investigation.
ATT&CK Coverage: T1190 (Exploit Public-Facing Application — accessing the operator’s misconfigured open directory)
Confidence: HIGH (for the specific IP; any internal host reaching this endpoint is high-priority)
False Positive Risk: LOW — no legitimate internal business communication with 221.150.15.104:8080 is expected outside of deliberate threat-intelligence investigation tooling.
Deployment: Network perimeter IDS/IPS. Consider adding 221.150.15.104 to IP blocklists for outbound traffic from non-TI workstations.
alert http $HOME_NET any -> 221.150.15.104 any (msg:"THL Korean-ClaudeCode-Allowlist Operator Open Directory Access (221.150.15.104:8080)"; http.host; content:"221.150.15.104"; bsize:14; http.method; content:"GET"; threshold:type limit, track by_src, count 1, seconds 3600; sid:9002703; rev:1; metadata:campaign Korean-ClaudeCode-Allowlist-OpenClaw-221.150.15.104, created_at 2026_05_27, updated_at 2026_05_27;)
Coverage Gaps
Gap 1 — No malware binary; no PE-class YARA rule possible.
This campaign produced no executable artifact. The analysis subject is the operator’s ~/.claude/settings.local.json configuration file (442 bytes, JSON). PE-class YARA rules (MZ header, section entropy, import hash) are not applicable. All YARA coverage in this file is scoped to text-format JSON configuration files.
Gap 2 — No C2 protocol observed; no C2-traffic behavioral Sigma or Suricata rules possible. The operator’s open directory and configuration artifact do not expose a C2 channel. The OpenClaw gateway (port 18789) is a local loopback service — its external C2 behavior (if any) is not documented in the captured evidence and should not be fabricated. If future evidence documents the OpenClaw gateway’s external egress protocol, C2-traffic rules should be added.
Gap 3 — OpenClaw skill execution behavior is undocumented in the captured evidence.
The settings.local.json artifact documents the install + gateway-bring-up chain but does not specify which OpenClaw skills the operator deployed or what attack capabilities they exercised. The adjacent parent investigation (Cases 2 and 7) documents OpenClaw’s .skillhub/ attack-capability ecosystem, but that evidence belongs to those cases, not this artifact. No rules have been written for specific OpenClaw skill execution behavior from this case’s evidence.
Gap 4 — lightmake.site Suricata coverage omitted (insufficient case-specific evidence).
lightmake.site appears in the parent investigation’s OpenClaw ecosystem documentation and in the IOC feed with MODERATE confidence, but it is not directly referenced in the Case 4 settings.local.json artifact. A Suricata SNI rule for lightmake.site was not authored because the Case 4 case-analysis brief explicitly notes the domain was “promoted from the parent investigation umbrella’s OpenClaw ecosystem documentation” rather than directly observed in this artifact. To add coverage: confirm lightmake.site appears in direct Case 4 evidence, then add alert tls $HOME_NET any -> any any (msg:"THL OpenClaw lightmake.site TLS SNI"; tls.sni; content:"lightmake.site"; nocase; startswith; endswith; ...).
Gap 5 — Attacker evasion by tooling substitution.
The allowlist-customization technique (pre-approving curl|bash + global npm install + listener bring-up in settings.local.json) is fully documented in this report. An operator who reads it can substitute any other AI-agent framework for OpenClaw and bypass all OpenClaw-specific string rules. The resilience detection anchor is the broader curl|bash-in-allowlist YARA heuristic (Rule YARA-2) and the generic process creation patterns (Rule Sigma-3), which fire on the structural pattern regardless of tool name. These cannot be evaded by swapping the domain or package name without also changing the curl|bash distribution model itself.
Gap 6 — macOS-specific open command detection not covered.
Allowlist entry 7 (Bash(open http://127.0.0.1:18789/)) uses the macOS open command to launch the OpenClaw gateway UI in the default browser. A Sigma rule for process_creation matching Image|endswith: '/open' with CommandLine|contains: '127.0.0.1:18789' is technically feasible on macOS with Sysmon for macOS or ESA telemetry, but was omitted because the open command is extremely common on macOS (used by countless legitimate applications) and the port-specific matching would produce high FP rates without additional context. This gap is best addressed by correlating port-18789 listener inventory (host level) with process logs rather than a standalone process-creation Sigma rule.
Gap 7 — Sigma file_event content matching limitation.
The Sigma file_event rule (Rule Sigma-1) matches on file path metadata only; file content is not natively queryable in most Sigma back-end implementations (Elastic, Splunk, etc.). Defenders relying on this rule alone will detect the write event but cannot confirm allowlist content without secondary tooling. The YARA rules (Rules YARA-1 and YARA-2) provide the content-level confirmation layer. Recommend pairing the Sigma file-event rule with a scheduled YARA scan of .claude/settings.local.json files on monitored endpoints for complete coverage.
License
Detection rules are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.