Skip to content
.ca
sign in
5 minmedium

We let OpenClaw loose on an internal network. Here’s what it found

Sophos researchers successfully deployed the OpenClaw AI agent in a controlled red team engagement against a legacy on-prem network. By implementing strict safety guardrails and custom-built skills, the agent autonomously conducted Active Directory reconnaissance and exploitation, significantly reducing operational time while identifying 23 actionable security findings.

Conf:highAnalyzed:2026-04-09reports

Authors: Ross McKerchar

ActorsOpenClaw
Active DirectoryAI Red TeamingLLM AgentsOpenClawPenetration Testing

Source:Sophos

IOCs · 1
  • domain
    matrix-clawNixOS instance hostname used to host the OpenClaw red-team agent during the engagement.

Key Takeaways

  • Sophos deployed the OpenClaw AI agent on a legacy on-prem network for an automated, deliberately noisy red team engagement.
  • The AI agent drastically reduced Active Directory reconnaissance time from three days to just three hours.
  • Strict safety guardrails (the 'Lethal Trifecta') and custom skills were implemented to prevent destructive actions, self-inflicted ransomware, or data exfiltration.
  • The agent demonstrated autonomy and creativity, such as provisioning an EC2 GPU instance to crack acquired hashes when a primary attack path was blocked.
  • The assessment yielded 23 actionable, high-quality findings and produced a highly detailed audit trail of the attack paths.

Affected Systems

  • Active Directory
  • Legacy on-prem networks
  • Windows
  • Linux (NixOS)

Attack Chain

The OpenClaw agent, operating from a NixOS instance, was deployed into a legacy on-prem network with strict ingress and egress controls. Utilizing custom-built skills and tools like Impacket, NetExec, and bloodhound-python, the agent conducted authenticated Active Directory reconnaissance from a Linux host. Upon identifying attack paths, it autonomously executed techniques such as Kerberoasting, ACL abuse, and pass-the-hash, and even provisioned an EC2 GPU instance to crack acquired hashes when blocked.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article discusses a red team experiment using an AI agent and does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: High — The engagement was deliberately noisy and optimized for coverage rather than evasion, generating a large number of internal detections and alerts across the monitoring stack. Network Visibility: Medium — While strict ingress/egress controls were in place, internal lateral movement and LDAP queries would be highly visible to internal network sensors. Detection Difficulty: Easy — The agent was not configured for stealth, making its rapid enumeration and exploitation attempts highly visible to standard SOC monitoring.

Required Log Sources

  • Windows Security Event Logs (Event ID 4624, 4662, 4769)
  • Active Directory LDAP logs
  • EDR telemetry
  • CloudTrail / AWS API logs (for EC2 provisioning)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for high volumes of LDAP queries originating from non-standard Linux hosts, indicating potential automated Active Directory reconnaissance.Network traffic, LDAP query logsDiscoveryLow
Monitor for unusual Kerberos service ticket requests (TGS) associated with Kerberoasting, especially from single endpoints in a short timeframe.Windows Security Event ID 4769Credential AccessMedium
Detect DCSync attempts by monitoring for directory replication requests (DS-Replication-Get-Changes) originating from non-Domain Controller IP addresses.Windows Security Event ID 4662Credential AccessLow
Identify unusual EC2 GPU instance provisioning events triggered shortly after internal credential access alerts, indicating potential offline password cracking.AWS CloudTrail logsCredential AccessLow

Control Gaps

  • Lack of AI agent-specific behavioral guardrails in standard environments
  • Potential over-permissive ACLs in legacy Active Directory environments

Key Behavioral Indicators

  • Execution of Impacket or NetExec from Linux hosts
  • Rapid, sequential AD enumeration commands
  • Unusual EC2 instance provisioning for GPU resources linked to internal recon activity

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Review internal alerts generated during the OpenClaw engagement to tune detection logic.
  • Ensure strict ingress and egress controls are in place for legacy on-prem networks.

Infrastructure Hardening

  • Implement strict network segmentation to isolate legacy environments from cloud-native workloads.
  • Restrict LDAP enumeration capabilities for standard users.
  • Audit and remediate overly permissive Active Directory ACLs and delegation rights.

User Protection

  • Enforce least privilege access for Active Directory accounts to limit the impact of compromised credentials.
  • Monitor for and block unauthorized use of offensive security tools like Impacket and NetExec.

Security Awareness

  • Train SOC analysts on the behavioral patterns and speed of autonomous AI red-teaming agents.
  • Develop policies and guardrails for the safe internal use of LLMs and AI agents.

MITRE ATT&CK Mapping

  • T1087.002 - Account Discovery: Domain Account
  • T1482 - Domain Trust Discovery
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1558.003 - Kerberoasting
  • T1003.006 - OS Credential Dumping: DCSync
  • T1550.002 - Use Alternate Authentication Material: Pass the Hash
  • T1110.002 - Password Cracking

Additional IOCs

  • Other:
    • zero - Operator handle configured as the controlling operator for the OpenClaw agent.
    • ste - Approved authority operator handle for the OpenClaw agent.
    • sam - Approved authority operator handle for the OpenClaw agent.

Related